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Foreword 



rd , 



This Technical Specification (TS) has been produced by the 3 Generation Partnership Project (3GPP). 

The contents of the present document are subject to continuing work within the TSG and may change following formal 
TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an 
identifying change of release date and an increase in version number as follows: 

Version x.y.z 

where: 

X the first digit: 

1 presented to TSG for information; 

2 presented to TSG for approval; 

3 or greater indicates TSG approved document under change control. 

y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, 
updates, etc. 

z the third digit is incremented when editorial only changes have been incorporated in the document. 



Introduction 

This Technical Specification has been produced by the 3GPP TSG SA to allow for the standardisation in the area of 
lawful interception of telecommunications. This document describes in general the architecture and functions for lawful 
interception. Laws of individual nations and regional institutions (e.g. European Union), and sometimes licensing and 
operating conditions define a need to intercept telecommunications traffic and related information in modern 
telecommunications systems. It has to be noted that lawful interception shall always be done in accordance with the 
applicable national or regional laws and technical regulations. 
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Scope 



The present document describes the architecture and functional requirements within a Third Generation Mobile 
Conmiunication System (3GMS) and the Evolved Packet System (EPS). 

The specification shows the service requirements from a Law Enforcement point of view only. The aim of this 
document is to define a 3GMS and EPS interception system that supports a number of regional interception regulations, 
but these regulations are not repeated here as they vary. Regional interception requirements shall be met in using 
specific (regional) mediation functions allowing only required information to be transported. 

The handover interfaces for Lawful Interception (LI) of Packet-Data Services, Circuit Switched Services, and 
Multimedia Services within the UMTS network and Evolved Packet System for Stage 3 are described in 
TS 33.108 [11]. 
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3 Definitions, symbols and abbreviations 

3.1 Definitions 

For the purposes of the present document, the terms and definitions given in TR 21.905 [13] and the following apply. 

Application layer: As defined by Internet Engineering Task Force (IETF) in RFC 1123 [19]. 

IP layer: As defined by Internet Engineering Task Force (IETF) in RFC 1 122 [18] 

Interception Area: is a subset of the network service area comprised of a set of cells which defines a geographical 
zone. 

Location Dependent Interception: is interception of a target mobile within a network service area that is restricted to 
one or several Interception Areas (lA). 

Other LI specific definitions are given in TS 33.108 [11]. 

3.2 Abbreviations 

For the purposes of the present document, the abbreviations given in TR 21.905 [13] and the following apply: 

3GMS 3rd Generation Mobile Communications System 

3G GGSN 3rd Generation Gateway GPRS Support Node 

3G GSN 3rd Generation GPRS Support Node (GGSN/SGSN) 

3G MSC 3rd Generation Mobile Switching Center 

3G SGSN 3rd Generation Serving GPRS Support Node 

3G UMSC 3rd Generation Unified Mobile Switching Centre 

AAA Authentication, Authorization, and Accounting 

ADMF Administration Function 

AN Access Network 

AP Access Provider 
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BM-SC Broadcast-Multicast Service Centre 

CC Content of Communication 

CS Circuit Switched 

CSCF Call Session Control Function 

DF Delivery Function 

DSMIP Dual Stack Mobile IP 

ECT Explicit Call Transfer 

EPC Evolved Packet Core 

ePDG Evolved PDG 

EPS Evolved Packet System 

E-UTRAN Evolved UTRAN 

FTP File Transfer Protocol 

GGSN Gateway GPRS Support Node 

GPRS General Packet Radio Service 

GSM Global System for Mobile communications 

GSN GPRS Support Node (SGSN or GGSN) 

HA Home Agent 

HI Handover Interface 

HRPD High Rate Packet Data 

HSS Home Subscriber Server 

lA Interception Area 

ICEs Intercepting Control Elements (3G MSC Server, 3G GMSC Server, P-CSCF, S-CSCF, SGSN, 

GGSN, HLR, AAA Server, PDG, MME, S-GW, PDN-GW, HSS) 

IETF Internet Engineering Task Force 

IMEI International Mobile station Equipment Identity 

IMS IP Multimedia Core Network Subsystem 

IMSI International Mobile Subscriber Identity 

INEs Intercepting Network Elements (3G MSC Server, 3G GMSC Server, P-CSCF, S-CSCF, SGSN, 

GGSN, MGW, HLR, AAA Server, PDG) 

IP Internet Protocol 

IRI Intercept Related Information 

I-WLAN Interworking WLAN (3GPP WLAN interworking subnetwork) 

LAN Local Area Network 

LDI Location Dependent Interception 

LEA Law Enforcement Agency 

LEMF Law Enforcement Monitoring Facility 

MBMS Multimedia Broadcast/Multicast Service 

ME Mobile Entity 

MIP Mobile IP 

MME Mobility Management Entity 

MN Mobile Node 

MSISDN Mobile Subscriber ISDN Number 

NAI Network Access Identifier 

NO Network Operator 

PDG Packet Data Gateway 

PDN Packet Data Network 

PDN-GW PDN Gateway 

PMIP Proxy Mobile IP 

PoC Push to talk over Cellular 

PS Packet Switched 

RA Routing Area 

RAI Routing Area Identity 

SAI Service Area Identity 

SGSN Serving GPRS Support Node 

SIP Session Initiation Protocol 

SMS Short Message Service 

S-GW Serving Gateway 

TEL URL "tel" URL, as defined in RFC 2806 [9] 

UE User Equipment 

UMTS Universal Mobile Telecommunication System 

URI Universal Resource Identifier 

URL Universal Resource Locator 



ETSI 



3GPP TS 33.107 version 8.7.0 Release 8 



12 



ETSI TS 133 107 V8.7.1 (2009-04) 



VoIP 

WLAN 



Voice over IP 
Wireless LAN 



Functional architecture 



The following figures contain the reference configuration for the lawful interception. The circuit-switched configuration 
is shown in figure la. The packet-switched configuration is shown in figure lb. Intercept configurations for HLR and 
IMS are shown in figures Ic and Id. The WLAN interworking configuration is shown in figure le. The various entities 
and interfaces are described in more detail in the succeeding clauses. The additional intercept configurations for 
Evolved 3 GPP Packet Switching Domain are described in clause 12. 

PS domain of the UMTS system (GSN and Multimedia Packet Data services), 3GPP-WLAN interworking network and 
Evolved Packet Switching Domain provide UMTS/GSM/EPS customer's mobile equipment (UE) with connectivity 
service to another end of the communication. Another end of the communication may be a network element (server) or 
another UE. Therefore, UMTS/EPS system provides IP layer TS 23.008 [15] services. Hence, UMTS/EPS NO/AP is 
responsible only for IP layer interception of CC data. In addition to CC data, the LI solution for UMTS/EPS offers 
generation of IRI records from respective control plane (signalling) messages. The IP layer connectivity service is 
needed to support application layer TS 29.234 [16] service provision to UMTS/GSM/EPS customers. For instance, the 
following are examples of application layer services: email service; web browsing service; FTP service; audio services 
(e.g. VoIP, PoC); other multimedia services (MBMS, video telephony); The majority of the application layer services 
require addition of respective server functionality to the network. Note that it is not necessary that such application layer 
SP should be the same commercial entity as the UMTS/EPS AP/NO in question. 

NOTE 1 : For instance in MBMS a BM-SC and especially content providing server may be operated by different 
commercial entity than UMTS network. 
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Figure la: Circuit switched intercept configuration 
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Figure lb: Packet Switched Intercept configuration 




Figure 1c: HLR Intercept configuration 
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Figure Id: IMS-CSCF Intercept configuration 
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Figure 1e: WLAN Interworking Intercept configuration 



xi_i 




Figure 1f: IMS Conferencing Intercept configuration 

The reference configuration is only a logical representation of the entities involved in lawful interception and does not 
mandate separate physical entities. 

Regional Mediation Functions, which may be transparent or part of the administration and delivery functions, are used 
to convert information on the HIl, HI2 and HI3 interfaces in the format described in various national or regional 
specifications. For example, if ETSI ES 201 671 [3] or ANSI J-STD-025 [8] is used, then the adaptation to HIl, HI2 
and HI3 will be as defined in those specifications. 

There is one Administration Function (ADMF) in the network. Together with the delivery functions it is used to hide 
from the 3G ICEs that there might be multiple activations by different Law Enforcement Agencies (LEAs) on the same 
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target. The administration function may be partitioned to ensure separation of the provisioning data from different 
agencies. 

See the remaining clauses of this document for definitions of the Xl_l, Xl_2, Xl_3, X2 and X3 interfaces. 

Interception at the Gateways is a national option. However, if 3G direct tunnel functionality with the GGSN, as defined 
in TS 23.060 [10], is used in the network, then the GGSN shall perform the interception of IRI and the content of 
communications. 

In figure la DF3 is responsible for two primary functions: 

- Call Control (Signalling) for the Content of Communication (CC); and 

- Bearer Transport for the CC. 

HI3 is the interface towards the LEMF. It must be able to handle the signalling and the bearer transport for CC. 

In figures la, lb, le and If, the HI2 and HI3 -interfaces represent the interfaces between the LEA and two delivery 
functions. The delivery functions are used: 

- to distribute the Intercept Related Information (IRI) to the relevant LEA(s) via HI2 (based on lAs, if defined); 

- to distribute the Content of Communication (CC) to the relevant LEA(s) via HI3 (based on I As, if defined). 

In figures Ic and Id the HI2 interface represents the interface between the LEA and the delivery function. The delivery 
function is used to distribute the Intercept Related Information (IRI) to the relevant LEA(s) via HI2. 

NOTE 2: With reference to figure Ic, CC interception does not apply to HLR. 

NOTE 3: For IMS, figure Id relates to the provision of IRI for SIP messages handled by the CSCF. Interception of 
CC for this case can be done at the GSN under a separate activation and invocation, according to the 
architecture in Figure lb (see also clause 7.A.1). 



5 Activation, deactivation and interrogation 

Figure 2 is an extraction from the reference intercept configuration shown in figures la through to le which is relevant 
for activation, deactivation and interrogation of the lawful interception. 
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Figure 2: Functional model for Lawful Interception activation, deactivation and interrogation 

In addition to the typical 3G ICEs functional entities, a new functional entity is introduced - the ADMF - the Lawful 
Interception administration function. The ADMF: 

- interfaces with all the LEAs that may require interception in the intercepting network; 

- keeps the intercept activities of individual LEAs separate; 

- interfaces to the intercepting network. 
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Every physical 3G ICE is linked by its own Xl_l -interface to the ADMF. Consequently, every single 3G ICE performs 
interception (activation, deactivation, interrogation as well as invocation) independently from other 3G ICEs. The HIl- 
interface represents the interface between the requester of the lawful interception and the Lawful administration 
function; it is included for completeness, but is beyond the scope of standardisation in this document. 

The target identities for 3GMS CS and PS interception at the SGSN, GGSN, 3G MSC Server and 3G GMSC Server can 
be at least one of the following: IMSI, MSISDN or IMEL 

NOTE 1 : Some communication content during a mobility procedure may not be intercepted when interception is 

based on MSISDN (only PS interception) or IMEL The use of the IMSI does not have this limitation. For 
the availability of the target identities IMSI, MSISDN and IMEI (PS interception), refer to 
TS 23.060 [10]. 

The target identities for multi-media at the CSCF can be one or more of the following: SIP URI or TEL URL. Other 
identities are not defined in this release. 

The target identities for 3GPP WLAN Interworking interception can be MSISDN, IMSI or NAI. For the availability of 
the target identities in the I- WLAN nodes (AAA server, PDG, WAG), refer to TS 23.234 [14], TS 23.008 [15], 
TS 29.234 [16] andTS 24.234 [17]. 

NOTE 2: The NAI may be a temporary ID, therefore the use of MSISDN or IMSI is recommended. 

NOTE 3: Void 

In the case of location dependent interception the following network/national options exist: 

- target location versus Interception Areas (I As) check in the 3G ICEs and Delivery Functions (DFs); 

- target location versus I As check in the DFs (physical collocation of the DFs to the 3G ICEs may be required by 
national law); 

- location dependent interception is not applicable to CSCF. 

NOTE 4: The I A is previously defined by a set of cells. From the location of the target this set of cells permits to 
find the relevant lA. 

NOTE 5: It is not required that the 3G GMSC or the 3G GGSN are used for interception when Location Dependent 
Interception is invoked and the location of the target is not available. 

Editors' note: Location dependent intercept for the 3G MSC Server is not defined for this release. 

The ADMF shall be able to provision P-CSCFs independently from S-CSCFs. If both P-CSCFs and S-CSCFs are 
administered within the network for intercept, redundant multi-media IRI may be presented to the agency as a result. 

5.1 Activation 

Figures 3, 4 and 5 show the information flow for the activation of Lawful Interception. 

5.1.1 XI _1 -interface 

The messages sent from the ADMF to the 3G ICEs (Xl_l -interface) contain the: 

- target identities (MSISDN, IMSI, IMEI, SIP URI or TEL URL, NAI) (see notes 4, 5, 6); 
information whether the Content of Communication (CC) shall be provided (see note 1); 

- address of Delivery Function 2 (DF2) for the intercept related information (see note 2); 

- address of Delivery Function 3 (DF3) for the intercepted content of communications (see note 3); 

- lA in the case of location dependent interception. 
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NOTE 1 : As an option, the filtering whether intercept content of communications and/or intercept related 

information has to be provided can be part of the delivery functions. (Note that intercept content of 
communications options do not apply at the CSCF, HLR and AAA server). If the option is used, the 
corresponding information can be omitted on the Xl_l -interface, while "information not present" means 
"intercept content of communicationsand related information has to be provided" for the ICE. 
Furthermore the delivery function which is not requested has to be "pseudo-activated", in order to prevent 
error cases at invocation. 

NOTE 2: As an option, only a single DF2 is used by and known to every 3G ICE. In this case the address of DF2 
can be omitted. 

NOTE 3: As an option, only a single DF3 is used by and known to every 3G ICE (except at the CSCFs, HLR and 
AAA server). In this case the address of DF3 can be omitted. 

NOTE 4: Since the IMEI is not available, interception based on IMEI is not applicable at the 3G Gateway. 

Moreover, in case the IMEI is not available, interception based on IMEI is not applicable at 3G ICEs. 

NOTE 5: Interception at the CSCFs is based upon either SIP URI or TEL URL. SIP URI and TEL URL as target 
identities are not supported by the other ICEs. 

NOTE 6: Interception based on NAI is only applicable at AAA server, PDG, and WAG. As the NAI could be 
encrypted or based on temporary identity at the PDG and WAG, interception based on the NAI is not 
applicable in those cases in these nodes. 

NOTE 7: Void 

If after activation subsequent Content of Communications (CC) or Intercept Related Information (IRI) has to be 
activated (or deactivated) an "activation change request" with the same identity of the target is to be sent. 
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Figure 3: Information flow on X1_1 -interface for Lawful Interception activation 

Interception of a target can be activated on request from different LEAs and each LEA may request interception via a 
different identity. In this case, each target identity on which to intercept will need to be sent via separate activation 
messages from ADMF to the 3G ICEs on the Xl_l -interface. Each activation can be for IRI only, or both CC and IRI. 

When several LEAs request activation on the same identity and the ADMF determines that there is an existing 
activation on the identity, the ADMF may (as an implementation option) send additional activation message(s) to the 
3G ICEs. When the activation needs to change from IRI only to CC and IRI an activation change message will be sent 
to the 3G ICEs. 

In the case of a secondary interception activation only the relevant LEAs will get the relevant IRIs. 
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5.1.2 X1_2-interface (IRI) 

For the activation of IRI the message sent from the ADMF to the DF contains: 

- the target identity; 

the address for deHvery of IRI (= LEMF address); 

- which subset of information shall be delivered; 

a DF2 activation identity, which uniquely identifies the activation for DF2 and is used for further interrogation or 
deactivation, respectively; 

- the I A in case of location dependent interception; 

- the warrant reference number if required by national option. 

If a target is intercepted for several LEAs and/or several identities simultaneously, a single activation of delivery is 
necessary for each combination of LEA and identity. 
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Figure 4: Information flow on X1_2-interface for Lawful Interception activation 



5.1.3 X1_3-interface (CC) 



For the activation of intercepted Content of Communications the message sent from the ADMF to the Delivery 
Function contains: 

- the target identity; 

- the address of delivery for CC (= LEMF address); 

a DF3 activation identity, which uniquely identifies the activation for DF3 and is used for further interrogation or 
deactivation, respectively; 

- the I A in case of location dependent interception; 

the warrant reference number if required by national option. 

If a target is intercepted by several LEAs and/or several identities simultaneously, a single activation of delivery is 
necessary for each combination of LEA and identity. 
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Figure 5: Information flow on X1_3-interface for Lawful Interception activation 

5.2 Deactivation 

Figures 6, 7 and 8 show the information flow for the deactivation of the Lawful interception. 

5.2.1 X1_1 -interface 

The messages sent from the ADMF to the 3G ICEs for deactivation contain: 

- the target identity; 

- the possible relevant lAs in case of location dependent interception. 
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Figure 6: Information flow on X1_1 -interface for Lawful Interception deactivation 

If interception of a target has been activated via different identities then a separate deactivation message will need to be 
sent from the ADMF to the 3G ICEs for each identity. 

When several LEAs requested activation on the same identity and subsequently request deactivation then the ADMF 
determines that there are remaining activations on the identity. In this case, the ADMF will not send a deactivation 
message to the 3G ICEs except when the activation needs to change from CC and IRI to IRI only. In that case an 
activation change message will be sent to the 3G ICEs. 
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5.2.2 X1_2-interface (IRI) 

The message(s) sent from the ADMF to DeHvery Function 2 for the deactivation of the Intercept Related Information 
contains: 

- a DF2 activation ID, which uniquely identifies the activation to be deactivated for DF2. 

If a target is intercepted by several LEAs and/or several identities simultaneously, a single deactivation is necessary for 
each combination of LEA and identity. 
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Figure 7: Information flow on X1_2-interface for Lawful Interception deactivation 

5.2.3 X1_3-interface (CC) 

For deactivating the delivery of the CC the message(s) sent from the ADMF to DF3 contains: 
- a DF3 activation ID, which uniquely identifies the activation to be deactivated for DF3. 
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Figure 8: Information flow on X1_3-interface for Lawful Interception deactivation 



5.3 Interrogation 



Interrogation provides the current status of the interception activation in the system. Interrogation of all activations for a 
given LEA is an ADMF function. 



ETSI 



3GPP TS 33.107 version 8.7.0 Release 8 



21 



ETSI TS 133 107 V8.7.1 (2009-04) 



5.3.1 Interrogation of the 3G ICEs 



Figure 9 shows the information flow for the interrogation of the Lawful Interception. It shall be possible to interrogate: 

- a specific activation at each relevant 3G ICEs; 

- all activations at each relevant 3G ICEs. 

As a result of the interrogation the activation status and data are returned. 
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Figure 9: Interrogation of tlie Lawful Interception (3G ICEs) 



5.3.2 Interrogation of Delivery Functions 



Figure 10 shows the information flow for the interrogation of the Lawful Interception. It shall be possible to interrogate: 

- a specific activation at a DF; 

- all activations at a DF for a given target identity; 

- all activations at a DF. 

As a result of the interrogation the activation status and data are returned. 
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Figure 10: Interrogation of the Lawful Interception (Delivery Functions) 
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6 Invocation of Lawful Interception for Circuit Switched 

Services 

Figure 1 1 shows an extraction from the reference configuration in figure la which is relevant for the invocation of the 
lawful interception. 
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Figure 11: Functional model for Lawful Interception invocation 

The HI2 and HI3 interfaces represent the interfaces between the LEMF and two deHvery functions. Both interfaces are 
subject to national requirements. They are included for completeness, but are beyond the scope of standardization in this 
document. The delivery functions are used: 

- to convert the information on the X2-interface to the corresponding information on the HI2-interface; 
to convert the information on the X3 -interface to the corresponding information on the HIS -interface; 

- to distribute the intercept related information to the relevant LEA(s) (based on lAs, if defined); 

- to distribute the intercept content of communicationsto the relevant LEA(s) (based on I As, if defined). 

For the delivery of the CC and IRI, the 3G MSC Server provides a correlation number and target identity to the DF2 
and DF3 which is used to select the different LEAs to which the product shall be delivered. 

NOTE: If interception has been activated for both parties of the call both CC and IRI will be delivered for each 
party as separate intercept activity. 

The Mc interface between the 3G MSC Server and MGW is used to establish intercept and deliver the bearer to DF3. 

For Location Dependent Interception, the location dependency check occurs at the establishment of each call. 
Subsequent dependency checks for simultaneous calls are not required, but can be a national option. 

If a target is marked using an lA in the 3G MSC Server, the 3G MSC Server shall perform a location dependency check 
at call set-up. Only if the target's location matches the lA then the call is intercepted. 

If a target is marked using an lA in the DF2, the DF2 shall perform a location dependency check at reception of the first 
IRI for the call. Only if the target's location matches the lA for certain LEAs is IRI the relayed to these LEAs. All 
subsequent IRIs for the call are sent to the same LEAs. 

If a target is marked using an I A in the DF3, the DF3 signalling function shall perform a location dependency check at 
reception of the CC. Only if the target's location matches the lA for certain LEAs is the CC relayed to these LEAs. 
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6.1 Provision of Intercept CC - Circuit Switched 

Figure 12 shows the access method for the dehvering of CC. The access method shall be a bridged/ T-connection. 
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Figure 12: Delivery configuration to the LEMF for the interception of a circuit switched call 

The signals of both parties of the configuration to be intercepted are delivered separately to the LEMF. The delivery 
function has no impact on the connection between the subscribers. 

The two stublines towards the LEMF are established in parallel to the call set up. For both stublines the address is used 
which has been provided during activation. 

Bearer, and only bearer, is sent from the MGW to the bearer function of DF3. 

NOTE 1 : For data calls it is necessary to provide means for fast call establishment towards the LEMF to help 
ensure that the beginning of the data transmission is delivered. 

The following information needs to be transferred from the 3G MSC Server to the DF3 in order to allow the DF3 to 
perform its functionality: 

- target identity (MSISDN, IMSI or IMEI); note 2 

- the target location (if available) or the lAs in case of location dependent interception, note 2 
correlation number (IRI <-> CC); 

- direction indication - (Signal from target or signal to target). 
NOTE 2: For DF3 internal use only. 

Additional information may be provided if required by national laws. 

6.2 Provision of CC - Short IVIessage Service 

Figure 14 shows an SMS transfer from the 3G MSC Server to the LEMF. Quasi-parallel to the delivery from / to the 
mobile subscriber a message, which contains the contents of the SMS with the header, is generated and sent via the 
Delivery Function 2 to the LEMF in the same way as the Intercept Related Information. 

The IRI will be delivered to the LEMF: 

for a SMS-MO. Dependent on national requirements, delivery shall occur either when the 3G MSC receives the 
SMS from the target MS, or when the 3G MSC receives notification that the SMS-Centre successfully received 
the SMS; 
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for a SMS-MT. Dependent on national requirements, delivery shall occur either when the 3G MSC receives the 
SMS from the SMSC, or when the 3G MSC receives notification that the target MS successfully received the 
SMS. 
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Figure 14: Provision of Content of Communication - Sliort Message Service 

6.3 Provision of Intercept Related Information 

Intercept Related Information (Events) are necessary at the Begin and End of the call, for all supplementary services 
during a call and for information which is not call associated. There are call related events and non call related events. 

Figure 15 shows the transfer of intercept related information to the DF2. If an event for / from a mobile subscriber 
occurs, the 3G MSC Server sends the relevant data to the DF2. 
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Figure 15: Provision of Intercept Related Information 

6.3.1 X2-interface 

The following information needs to be transferred from the 3G MSC Server to the DF2 in order to allow a DF2 to 
perform its functionality: 

- target identity (MSISDN, IMSI or IMEI); 

- in case of location dependent interception, the I As and/or target cell ID shall be provided; 

- events and associated parameters as defined in clauses 6.3.3 and 6.3.4 may be provided. 
The IRI should be sent to DF2 with a reliable transport mechanism. 
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6.3.2 Structure of the events 

The information sent to DF2 is triggered by up to eight different call related and non-call related events. Details are 
described in following clause. The events for interception are configurable (if they are sent to DF2) in the 3G MSC 
Server and can be suppressed in the DF2. The events are listed as follows: 

Call Related Events: 

- Call Establishment 

- Answer 

- Supplementary Service 

- Handover 

- Release 

Non Call Related Events: 

- SMS 

- Location Update 

- Subscriber Controlled Input 

Table 1 below shows the set of information that can be associated with the events. The events trigger the transmission 
of the information from the 3G MSC Server to DF2. Available lEs from this set of information can be extended in the 
3G MSC Server, if this is necessary in a specific country. DF2 can extend available information if this is necessary in a 
specific country e.g. a unique number for each surveillance warrant. 
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Table 1: Information Elements for Circuit Event records 



Observed MSISDN 

Target Identifier with the MSISDN of the target subscriber (monitored subscriber). 



Observed IIVISI 

Target Identifier with the IIVISI of the target subscriber (monitored subscriber). 



Observed IIVIEI 

Target Identifier with the IIVIEI of the target subscriber (monitored subscriber), 
It shall be checked for each call over the radio interface 



event type 

Description which type of event is delivered: Establishment, Answer, Supplementary service. 
Handover, Release, SMS, Location update. Subscriber controlled input 



event date 

Date of the event generation in the 3G MSC Server 



event time 

Time of the event generation in the 3G MSC Server 



dialled number 

Dialled phone number before digit modification, IN-modification etc. 



Connected number 

Number of the answering party 



other party address 

Directory number of the other party for MOC 
Calling party for MTC 



call direction 

Information if the monitored subscriber is calling or called e.g. MOC/MTC or originating/ terminating 
In or/out 



Correlation number 

Unique number for each call sent to the DF, to help the LEA, to have a correlation between each 
Call and the IRI 



Network Element Identifier 

Unique identifier for the element reporting the ICE. 



Location Information 

Location information is the service area identity and/or location area identity that is present at the 3G MSC Server 
at the time of event record production 



basic service 

Information about Tele service or bearer service. 



Supplementary service 

Supplementary services used by the target e.g. CF, CW, ECT 



Forwarded to number 

Forwarded to number at CF 



call release reason 

Call release reason of the target call 



SMS initiator 

SMS indicator whether the SMS is MO, MT, or undefined 



SMS Message 

The SMS content with header which is sent with the SMS-service 



Redirecting number 

The number which invokes the call forwarding towards the target. This is provided if available. 



SCI 

Non call related Subscriber Controlled Input (SCI) which the 3G MSC Server receives from the ME 
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6.3.3 Call Related events 



6.3.3.1 



Call establishment 



For call establishment a call establishment-event is generated. This event is generated at the beginning of a call when 
the 3G MSC Server attempts to reach the subscriber. This information will be delivered to the DF2 if available: 



Observed MSISDN 
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Observed IMEI 



event type 



event date 



event time 



dialled number 



other party address 



call direction 



Correlation number 



Redirecting number 



Network Element Identifier 



Location Information 



basic service 



Supplementary service 



6.3.3.2 Answer 

If the called party answers, an answer- event is generated. This information will be delivered to the DF2 if available: 
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6.3.3.3 



Supplementary Services 



For supplementary services events are generated with the information which supplementary service is used e.g. Call 
Forwarding (CF), Call Waiting (CW), ExpHcit Call Transfer (ECT), Multi Party (MPTY), Call Hold and information 
correlated to the service like the forwarded to number. This information will be delivered to the DF2 if available: 
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call direction 
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Location Information 
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Supplementary service 



Forwarded to number 



6.3.3.4 



Handover 



For each handover that is realised at the 3G MSC Server due to a change in target location information, a handover- 
event with the new location information is generated. This information will be delivered to the DF2 if available: 



Observed MSISDN 



Observed IMSI 



Observed IMEI 



event type 



event date 



event time 



Correlation number 



Network Element Identifier 



Location Information 



6.3.3.5 



Release 



For the release or failed attempt of a target call, a release event with the following information is generated. This 
information will be delivered to the DF2 if available: 



Observed MSISDN 



Observed IMSI 



Observed IMEI 



event type 



event date 



event time 



dialled number 



other party address 



call direction 



Correlation number 



Network Element Identifier 



Location Information 



basic service 



call release reason 
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6.3.4 Non Call Related events 



6.3.4.1 



SMS 



For MO-SMS the event is generated in the 3G MSC Server. Dependent on national requirements, event generation shall 
occur either when the 3G MSC Server receives the SMS from the target MS or when the 3G MSC Server receives 
notification that the SMSC successfully receives the SMS; for MT-SMS the event is generated in the 3G MSC Server. 
Dependent on national requirements, event generation shall occur either when the 3G MSC Server receives the SMS 
from the SMSC or when the 3G MSC Server receives notification that the target MS successfully received the message. 
This information will be delivered to the DF2 if available: 



Observed MSISDN 



Observed IMSI 



event type 



event date 



event time 



Network Element Identifier 



Location Information 



SIVIS initiator 



SIVIS IVIessage 



6.3.4.2 



Location update 



For location updates a Location update-event is generated, with the new location information. This information will be 
delivered to the DF2 if available: 



Observed MSISDN 



observed IIVISI 



event type 



event date 



event time 



Network Element Identifier 



Location Information 



6.3.4.3 



Subscriber Controlled Input (SCI) 



SCI includes subscriber initiated changes in service activation and deactivation. SCI does not include any information 
available in the CC. For subscriber controlled inputs - a SCI-event is generated with information about the SCI. This 
information will be delivered to the DF2 if available: 



observed MSISDN 



observed IMSI 



event type 



event date 



event time 



Network Element Identifier 



Location Information 
SCI 
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6.4 Intercept cases for circuit switclied supplementary services 
6.4.1 Interception of Multiparty call 



* B 















► 




3GMGW 

.A. 




A 






J 


► 










^ 




















DF3 

bearer 







" c 



D 



Figure 16: Interception of Multiparty for CC 

Figure 16 shows the deHvery of CC from intercepted multiparty call where party A is the target of interception. 

One pair of call content channels are delivered to the delivery function. Party A is delivered to the DF3 on one channel 
and the sum of the balance of the parties, B,C and D is delivered on the second channel. 

It should be noted that if parties B,C or D is a target of interception, that intercept is treated as a simple call intercept. 

The events contain information about B, C and D if subscriber A is monitored. If one of B, C or D is monitored, events 
contain the information about A but not the other parties of the conference. 

6.4.2 Interception for Call Forwarding / Call Deflection / ECT 




Bearer Traffic 



Figure 17: Interception for Call Forwarding / Deflection / ECT 

The interception of party B once the supplementary service is invoked is a national option. 
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For Intercept Related Information it depends who is monitored: 

If subscriber A is monitored the number of A and B are mandatory in the event information and the number of C 
if available. 

- If subscriber B is monitored the number of B and C are mandatory in the event information and the number of A 
if available. 

If subscriber C is monitored the number of C is mandatory in the event information and the number of A and B if 
available. 

Intercept requirements for CS multi-media is not defined in this release. 



7 Invocation of Lawful Interception for GSN Packet 

Data services 

Figure 18 shows the extract from the reference configuration which is relevant for the invocation of the Lawful 
Interception of the packet data GSN network. 
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Figure 18: Functional model for Packet Data GSN Network Lawful Interception invocation 

The HI2 and HI3 interfaces represent the interfaces between the LEA and two delivery functions. Both interfaces are 
subject to national requirements. They are included for completeness, but are beyond the scope of this specification. 
The delivery functions are used: 

- to convert the information on the X2-interface to the corresponding information on the HI2 interface; 

- to distribute the intercept related information to the relevant LEA(s); 

- to distribute the intercept product to the relevant LEA(s). 

For the delivery of the CC and IRI the 3G SGSN and/or, per national option 3G GGSN provides correlation number and 
target identity to the DF2 and DF3 which is used there in order to select the different LEAs where the product shall be 
delivered. 

The correlation number is unique in the whole PLMN and is used to correlate CC with IRI and the different IRI's of one 
PDP context. 

The correlation number shall be generated by using existing parameters related to the PDP context. 

NOTE 1 : If interception has been activated for both parties of the Packet Data communication both CC and IRI will 
be delivered for each party as separate intercept activity. 

In case of location dependent interception: 

- for each target, the location dependency check occurs at each Packet Data session establishment or release and at 
each Routing Area (RA) update to determine permanently the relevant lAs (and deduce, the possible LEAs 
within these I As); 

- concerning the IRI: 
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- when an I A is left, either a Mobile Station Detach event is sent when changing servicing 3G GSNs, or an RA 
update event is sent; 

- RA update event is sent to DF2 when changing I As inside the same servicing 3G SGSN; 

- when a new I A is entered a RA update event is sent to DF2 and, optionally, a "Start of interception with PDP 
context active" event for each PDP context; 

concerning the CC, when crossing lAs, the CC is not sent anymore to the DF3 of the old lA but sent to the DF3 
of the new lA. 

Both in case of location dependent and location independent interception: 

"Start of interception with PDP context active" event is sent by the new SGSN if an Inter-SGSN RA update procedure, 
which involves different PLMNs, takes place for a target, which has at least one active PDP context. 

NOTE 2: An SGSN can differentiate "Inter PLMN" type of Inter-SGSN RA update procedure from "Intra PLMN" 
type of Inter-SGSN RA update procedure by inspecting the old RAI parameter, which is being received 
by the SGSN as part of the procedure (see TS 23.060 [10], clause 6.9.1.2.2 and TS 23.003, clause 4.2). 

Optionally, it is possible to send "Start of interception with PDP context active" for all cases of inter- SGSN RA update 
when at least one PDP context is active. 

7.1 Provision of Intercept Product - Short Message Service 

Figure 19 shows an SMS transfer from the 3G SGSN node to the LEA. Quasi-parallel to the delivery from / to the 
mobile subscriber a SMS event, which contains the content and header of the SMS, is generated and sent via the 
Delivery Function 2 to the LEA in the same way as the Intercept Related Information. National regulations and warrant 
type determine if a SMS event shall contain only SMS header, or SMS header and SMS content. 

The IRI will be delivered to the LEA: 

- for a SMS-MO. Dependent on national requirements, delivery shall occur either when the 3G SGSN receives the 
SMS from the target MS or when the 3G SGSN receives notification that the SMS-Centre successfully received 
the SMS; 

for a SMS-MT. Dependent on national requirements, delivery shall occur either when the 3G SGSN receives the 
SMS from the SMS-Centre or when the 3G SGSN receives notification that the target MS successfully received 
the SMS. 
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Figure 19: Provision of Intercept Product - Sliort Message Service 
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7.2 Provision of Intercepted Content of Communications - 
Packet data GSN services 

The access method for the deHvering of Packet Data GSN Intercept Product is based on duplication of packets without 
modification at 3G GSN. The dupHcated packets with additional information in a header, as described in 7.2.1, are sent 
to DF3 for further delivery to the LEA. 
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Figure 20: Configuration for interception of Pacl<et Data GSN product data 

7.2.1 X3-intei1ace 

In addition to the intercepted content of communications, the following information needs to be transferred from the 3G 
GSN to the DF3 in order to allow the DF3 to perform its functionality: 

- target identity; 
correlation number; 

- time stamp - optional; 

direction (indicates whether T-PDU is MO or MT) - optional; 

- the target location (if available) or the lAs in case of location dependent interception. 

As a national option, in the case where the 3G GGSN is performing interception of the content of communications, the 
intercept subject is handed off to another SGSN and the same 3G GGSN continues to handle the content of 
communications subject to roaming agreements, the 3G GGSN shall continue to perform the interception of the content 
of communication. 

If 3G direct tunnel functionality with the GGSN, as defined in TS 23.060 [10], is used in the network, then the GGSN 
shall perform the interception of the content of communications. 

7.3 Provision of Intercept Related Information 

Intercept Related Information (Events) are necessary at the Mobile Station Attach, Mobile Station Detach, PDP Context 
Activation, Start of intercept with PDP context active, PDP Context Deactivation, RA update. Serving System and SMS 
events. 

Serving System event reporting is a national option. 
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Figure 21 shows the transfer of intercept related information to the DF2. If an event for / from a mobile subscriber 
occurs, the 3G GSN or the Home Location Register (HLR) sends the relevant data to the DF2. 

See clause 7A for multi-media Intercept Related Information produced at the CSCF. 
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Figure 21 : Provision of Intercept Related Information 

7.3.1 X2-interface 

The following information needs to be transferred from the 3G GSN or the HLR to the DF2 in order to allow a DF2 to 
perform its functionality: 

- target identity (MSISDN, IMSI, IMEI); 

- events and associated parameters as defined in clauses 7.3.2 and 7.4 may be provided; 

- the target location (if available) or the I As in case of location dependent interception; 

- Correlation number; 

- Quality of Service (QoS) identifier; 

- Encryption parameters (keys and associated parameters for decrypting CC), if available and necessary. 
The IRI should be sent to DF2 using a reliable transport mechanism. 

7.3.2 Structure of the events 

There are several different events in which the information is sent to the DF2 if this is required. Details are described in 
the following clause. The events for interception are configurable (if they are sent to DF2) in the 3G GSN or the HLR 
and can be suppressed in the DF2. 

The following events are applicable to 3G SGSN: 

- Mobile Station Attach; 

- Mobile Station Detach; 

- PDP context activation; 

- Start of interception with mobile station attached (national option); 

- Start of intercept with PDP context active; 
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- PDP context modification; 

- PDP context deactivation; 

- RA update; 

- SMS. 

NOTE: 3G GGSN interception is a national option. Location information may not be available in this case. 

If 3G direct tunnel functionality with the GGSN, as defined in TS 23.060 [10], is used in the network, then both the 
SGSN and the GGSN shall perform the interception of intercept related information. 

The following events are applicable to the 3G GGSN: 

- PDP context activation; 
PDP context modification; 

- PDP context deactivation; 

- Start of interception with PDP context active. 
The following events are applicable to the HLR: 

- Serving System. 

A set of elements as shown below can be associated with the events. The events trigger the transmission of the 
information from 3G GSN or HLR to DF2. Available lEs from this set of elements as shown below can be extended in 
the 3G GSN or HLR, if this is necessary as a national option. DF2 can extend available information if this is necessary 
as a national option e.g. a unique number for each surveillance warrant. 
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Table 2: Information Events for Packet Data Event Records 



Observed MSISDN 

MSISDN of the target subscriber (monitored subscriber). 



Observed IIVISI 

IIVISI of the target subscriber (monitored subscriber). 



Observed IIVIEI 

IIVIEI of the target subscriber (monitored subscriber), it shall be checked for each activation over the radio interface. 



Event type 

Description which type of event is delivered: MS attach, MS detach, PDP context activation. Start of intercept with 

PDP context active, PDP context deactivation, SMS, Serving System, Cell and/or RA update. 



Event date 

Date of the event generation in the 3G GSN or the HLR. 



Event time 

Time of the event generation in the 3G GSN or the HLR. Timestamp shall be generated relative to GSN or HLR 

internal clock. 



PDP address 

The PDP address of the target subscriber. Note that this address might be dynamic. 



Access Point Name 

The APN of the access point. (Typically the GGSN of the other party). 



Location Information 

Location Information is the Service Area Identity (SAI), RAI and/or location area identity that is present at the GSN at 

the time of event record production. 



Old Location Information 

Location Information of the subscriber before Routing Area Update 



PDP Type 

The used PDP type. 



Correlation Number 

The correlation number is used to correlate CC and IRI. 



SMS 

The SMS content with header which is sent with the SMS-service. The header also includes the SMS-Centre 

address. 



Network Element Identifier 

Unique identifier for the element reporting the ICE. 



Failed attach reason 

Reason for failed attach of the target subscriber. 



Failed context activation reason 

Reason for failed context activation of the target subscriber. 



lAs 

The observed Interception Areas. 



Initiator 

The initiator of the PDP context activation, deactivation or modification request either the network or the 3G MS. 



SMS Initiator 

SMS indicator whether the SMS is MO or MT. 



Deactivation / termination cause 

The termination cause of the PDP context. 



QoS 

This field indicates the Quality of Service associated with the PDP Context procedure. 



Serving System Address 

Information about the serving system (e.g. serving SGSN number or serving SGSN address). 



NSAPI 

Network layer Service Access Point Identifier 

The NSAPI information element contains an NSAPI identifying a PDP Context in a mobility management context 

specified by the Tunnel Endpoint Identifier Control Plane. 

This is a optional parameter to help DF/MF and LEA's to distinguish between the sending mobile access networks 

when the GGSN is used as element of the PDG according TS 23.234 [14], Annex F. 
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7.4 



Packet Data related events 



7.4.1 



Mobile Station Attach 



For attach an attach-event is generated. When an attach activation is generated from the mobile to serving 3G G SN this 
event is generated. These elements will be delivered to the DF2 if available: 



Observed MSISDN 



Observed IMSI 



Observed IMEI 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Location Information 



Failed attach reason 



lAs (if applicable) 



7.4.2 Mobile Station Detach 

For detach a detach-event is generated, this is for the common (end) detach. These elements will be delivered to the 
DF2 if available: 



Observed MSISDN 



Observed IMSI 



Observed IMEI 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Location Information 



lAs (if applicable) 



7.4.3 Packet Data PDP context activation 

When a PDP context activation is generated a PDP context activation-event is generated. These elements will be 
delivered to the DF2 if available: 



Observed MSISDN 



Observed IMSI 



Observed IMEI 



PDP address of observed party 



Event Type 



Event Time 



Event Date 



Correlation number 



Access Point Name 



PDP Type 



Network Element Identifier 



Location Information 



Failed context activation reason 



lAs (if applicable) 



Initiator (optional) 



QoS (optional) 



NSAPI (optional) 
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7.4.4 Start of interception with PDP context active 

This event will be generated if interception for a target is started and if the target has at least one PDP context active. If 
more then one PDP context are open, for each of them an event record is generated. These elements will be delivered to 
the DF2 if available: 



Observed MSISDN 



Observed IMSI 



Observed IMEI 



PDP address of observed party 



Event Type 



Event Time 



Event Date 



Correlation number 



Access Point Name 



PDP Type 



Network Element Identifier 



Location Information 



Old Location Information (optional] 



lAs (if applicable) 



QoS (optional) 



Initiator (optional) 



NSAPI (optional) 



Presence of the optional Old Location Information field indicates that PDP context was already active, and being 
intercepted. However, the absence of this information does not imply that interception has not started in the old location 
SGSN for an active PDP context. 

Start of interception with PDP context active shall be sent regardless of whether a Start of interception with mobile 
station attached has already been sent. 

7.4.5 Packet Data PDP context deactivation 

At PDP context deactivation a PDP context deactivation-event is generated. These elements will be delivered to the 
DF2 if available: 



Observed MSISDN 



Observed IMSI 



Observed IMEI 



PDP address of observed party 



Event Type 



Event Time 



Event Date 



Correlation number 



Access point name 



Network Element Identifier 



Location Information 



lAs (if applicable) 



Deactivation cause 



Initiator (optional) 



NSAPI (optional) 
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7.4.6 RA update 



For each RA update an update-event with the elements about the new location is generated. New SGSN shall send the 
event, and the old SGSN may optionally send the event as well. These elements will be delivered to the DF2 if 
available: 



Observed MSISDN 



Observed IMSI 



Observed IMEI 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Location Information (only for the new SGSN) 
Old Location Information (only for the old SGSN) 
lAs (if applicable) 



NOTE: Once target moves out of the interception area, old SGSN may report the RAU event. Normally, however, 
the old SGSN does not receive the new SGSN's RAI, while the new SGSN does receive the old SGSN's 
RAI from UE with the RAU Request message. 

7.4.7 SMS 

For MO-SMS the event is generated in the 3G SGSN. Dependent on national requirements, event generation shall occur 
either when the 3G SGSN receives the SMS from the target MS or when the 3G SGSN receives notification that the 
SMS-Centre successfully receives the SMS; for MT-SMS the event is generated in the 3G SGSN. Dependent on 
national requirements, event generation shall occur either when the 3G SGSN receives the SMS from the SMS-Centre 
or when the 3G SGSN receives notification that the target MS successfully received the message. These elements will 
be delivered to the DF2 if available: 



Observed MSISDN 



Observed IMSI 



Observed IMEI 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Location Information 



SMS 



SMS Initiator 



lAs (if applicable) 



7.4.8 Packet Data PDP context modification 

This event will be generated if interception for a target is started and if the target has at least one PDP context active. 
These elements will be delivered to the DF2 if available: 
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Observed MSISDN 



Observed IMSI 



Observed IMEI 



PDP address of observed party 



Event Type 



Event Time 



Event Date 



Correlation number 



Access Point Name 



PDP Type 



Network Element Identifier 



Location Information 



lAs (if applicable) 



Initiator 



QoS 



7.4.9 Serving System 



The Serving System report event is generated at the HLR, when the HLR has detected that the intercept subject has 
roamed. The elements will be delivered to the DF2 if available: 



Observed MSISDN 



Observed IMSI 



Observed IMEI 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Serving System Address 



7.4.10 Start of interception with mobile station attached 

This event will be generated if interception has started for the already attached target. These elements will be delivered 
to the DF2 if available: 



Observed MSISDN 



Observed IMSI 



Observed 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Location Information 



lAs (if applicable) 



7.5 



Void 



7.6 Interception of the Multimedia Messaging Service (MMS) 

The Multimedia Messaging Service (MMS) is a service running over the 3GPP PS-domain. Both mobile originating and 
mobile terminating MMS messages must pass through PS domain GSN nodes en route to or from Multimedia Message 
Service Centres (MMSCs). Therefore, interception of MMS messages shall be performed at the GSN in exactly the 
same way as for other PS -domain bearer services. 

The GSN is not responsible for recovering individual MMS messages from the user PDP context IP stream. 
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No MMS specific HI2 records are defined to be delivered to the LEMF over the DF2 other than those Hsted in 
clause 7.4 of this specification. CC records shall be sent to the LEMF over the DF3 as specified in clause 7.3. 

Interception of a user PDP context IP stream will occur as described in clause 7.2. Such a stream may or may not 
contain MMS messages. 



7A Invocation of Lawful Interception for Packet Data 
Multi-media Service 

7A.1 Provision of content of communications 

Interception of the content of communications for GSN packet data services is explained in clause 7.2. No additional 
content of communications intercept requirements are identified, (to be confirmed pending completion of multi-media 
stage 2 specifications) Activation and invocation of multi-media service does not produce interception of content of 
communications, which must be intercepted at the GSN under a separate activation and invocation. 

7A.2 Provision of IRI 

SIP messaging is reported as Intercept Related Information for the interception of multi-media service. As shown in 
figure 22 below, all SIP messages executed on behalf of a target subscriber are subject to intercept at the S-CSCF and 
Optionally P-CSCF. Based upon network configuration, the ADMF shall provision P-CSCFs, or S-CSCFs, or both P- 
CSCFs and S-CSCFs with SIP URI or TEL URL target identifiers. These resulting intercepted SIP messages shall be 
sent to DF2 for mediation prior to transmittal across the HI2 interface. 

For roaming scenarios, interception at the P-CSCF shall be Mandatory, in order to provide IRI Interception in the 
visited network, where the P-CSCF is located in the Visited Network. Where the P-CSCF is located in the Home 
Network, interception at the P-CSCF shall be Optional, subject to national regulation. 
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Figure 22: Provision of Intercept Related Information for multi-media 



7A.3 Multi-media events 

- All SIP messages to or from a targeted subscriber, and all SIP messages executed on behalf of a targeted 
subscriber for multi-media session control are intercepted by the S-CSCF and Optionally P-CSCF and sent to 
DF2. The target identifier used to trigger the intercept will also be sent with the SIP message. This standard does 
not require nor prohibit redundant information from being reported to DF2. 
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- Where a CSCF which provides lawful interception makes changes to a SIP message, sent to or from or 
executed on behalf of a target subscriber then the CSCF shall report both the original message and the 
modified message to the DF2. 

- Where a CSCF which provides lawful interception changes identities within a SIP message (eg IMPI/IMPU 
changes or due to call forwarding etc) and the new identity is the subject of interception, then both the 
original and modified SIP messages shall be reported to DF2. 

- Where a CSCF which provides lawful interception changes identities within a SIP message (eg IMPI/IMPU 
changes or due to call forwarding etc) and the new identity is not the subject of interception, then both the 
original and modified SIP messages shall be reported to DF2. 

- P-CSCF event reports may be redundant with S-CSCF event reports when the P-CSCF and S-CSCF reside in the 
same network, however, this standard does not require nor prohibit redundant information from being reported to 
DF2. 

- The IRI should be sent to DF2 with a reliable transport mechanism. 

- Correlation for SIP to bearer shall be supported within the domain of one provider. 

- An intercepted SIP event sent to DF2 is shown below: 

- Observed SIP URI 

- Observed TEL URL 

- Event Time and Date 
Network element identifier 

- SIP Message Header 

- SIP Message Payload 

7A.4 Multi-media Call State Control Service Scenarios 

Annex C shows examples of the delivery of intercepted events and product under various call scenarios. 

7A.5 Push to talk over Cellular (PoC) 

PoC is a service of the IMS Domain and interception is done according the definitions in clause 7A.3. Interception of 
CC is available with the current implementations in the GSNs. 

7A.6 SMS over IMS 

SMS over IMS shall be intercepted in accordance with normal IMS interception as described in 7A.3. SMS IRI 
(including originating and destination addresses, SMS direction, and SMS Centre Address) are reported, if available, for 
IRI-only intercepts. 



8 Security 



The security requirements are valid for the whole Lawful Interception system, i.e. rules and procedures shall be used for 
all involved entities, 3G GSN and the DF. 



8.1 Administration security 



The administration of the LI function, i.e. Activation, Deactivation and Interrogation of Lawful Interception, in the 
3G ICEs and the DFs shall be done securely as described below: 
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- It shall be possible to configure the authorised user access within the serving network to Activate, Deactivate and 
Interrogate Lawful Interception separately for every physical or logical port at the 3G ICEs and DF. It shall be 
possible to password protect user access. 

Only the ADMF is allowed to have access to the LI functionality in the 3G ICEs and DF. 

- The communication Hnks between ADMF, 3G GSN,3G MSC Server, CSCF, DF2, and DF3 may be required by 
national option to support security mechanisms. Options for security mechanisms include: 

- CUG / VPN; 

- COLP; 

- CLIP; 

- authentication; 

- encryption. 

Through the use of user access restrictions, no unauthorised network entities or remote equipment shall be able to view 
or manipulate LI data in the 3G GSN, 3G MSC Server, CSCF or the DFs. 



8.2 IRI security 



8.2.1 Normal operation 

The transmission of the IRI shall be done in a secure manner. 

When DFs are physically separate from the 3G ICEs, the X2-interface may be required by national option to support 
security mechanisms. Options for security mechanisms include: 

- CUGA^PN; 

- COLP; 

- CLIP; 

- authentication; 

- encryption. 

8.2.2 Communication failure 

Depending on the national law in case of communication failure IRI may be buffered in the 3G INEs. After successful 
transmission of IRI the whole buffer shall be deleted. It shall be possible to delete the content buffer via command or a 
timer, in an un-restorable fashion. 

8.3 CC security 

The transmission of the CC shall be done in a secure manner. 

When DFs are physically separate from the 3G INEs, the X3-interface may be required by national option to support 
security mechanisms. Options for security mechanisms include: 

- CUGA^PN; 

- COLP; 

- CLIP; 

- authentication; 

- encryption. 



ETSI 



3GPP TS 33.107 version 8.7.0 Release 8 



44 



ETSI TS 133 107 V8.7.1 (2009-04) 



In case of transmission failure no buffering is required within the intercepting network. 

8.4 Security aspects of Lawful Interception billing 

Billing information may be suppressed or made available at the DFs and the ADMF. Billing information for Lawful 
Interception shall be separated from "regular" billing data. 

Billing data transmission to the Lawful Interception billing system may be done in a secure manner per national option. 

In case of transmission failure billing-data shall be buffered/stored in a secure way. After successful transmission billing 
data shall be deleted in an un-restorable fashion. 

8.5 Other security issues 

8.5.1 Log files 

Log files shall be generated by the ADMF, DF2, DFS, 3G MSC Server, CSCF and the 3G GSN. All log files are 
retrievable by the ADMF, and are maintained by the ADMF in a secure manner. 

8.5.2 Data consistency 

The administration function in the 3GMS shall be capable of performing a periodic consistency check to ensure that the 
target Hst of target identities in all involved 3G MSC Servers, CSCFs, 3G GSNs in the 3GMS and the DFs contain the 
appropriate target Ids consistent with the intercept orders in the ADMF. The reference data base is the ADMF data base. 



9 Invocation of Lawful Interception for 3GPP WLAN 

Interworking Services 

Figure 23 shows the extract from the reference configuration which is relevant for the invocation of the Lawful 
Interception of the packet data 3 GPP WLAN Interworking network. 
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Figure 23: Functional model for invocation of Lawful Interception for 3GPP WLAN Interworking 

Services 

The HI2 and HI3 interfaces represent the interfaces between the LEA and two delivery functions. Both interfaces are 
subject to national requirements. They are included for completeness, but are beyond the scope of this specification. 

The delivery functions are used: 

- to convert the information on the X2-interface to the corresponding information on the HI2 interface; 

- to distribute the intercept related information to the relevant LEA(s); 

- to distribute the intercept product to the relevant LEA(s). 

Interception at a WAG applies for the roaming users where the PDG is not in the visited network. 
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For most WLAN Interworking cases, the Packet Data Gateway (PDG) handles the bearer level interception, specifically 
interception of CC and IRI related to tunnel establishment and release in which case there is no need to perform 
interception at a WAG. This includes the case where the PDG is in the intercepting carrier" s network (whether it be 
home or visited). For the case where a visited network is to intercept WLAN related tunnel and the PDG for the tunnel 
is not in the visited network, the Wireless Access Gateway (WAG) is used to intercept the CC and IRI related to tunnel 
establishment and release. It should be noted that the CC available at the WAG may be encrypted. 

9.1 Provision of Intercept Product - Siiort Message Service 

LI for SMS in the 3GPP-WLAN Interworking case is described in Clause 7A.4. 

9.2 Provision of Intercepted Content of Communications - 
3GPP WLAN Interworking services 

The access method for the delivering of 3GPP WLAN Interworking Intercept Product is based on duplication of packets 
without modification at the PDG or WAG. The duplicated packets with additional information in the header, as 
described in the following sections, are sent to DF3 for further delivery. Note that CC available at the WAG is likely to 
be encrypted. 
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Figure 24: Configuration for interception of 3GPP WLAN Interworking product data 

9.2.1 X3-intei1ace 

In addition to the intercepted content of communications, the following information needs to be transferred from the 
PDG or WAG to the DF3 in order to allow the DF3 to perform its functionality: 

- target identity; 
correlation number; 

- time stamp - optional; 

direction (indicates whether T-PDU is MO or MT) - optional; 

- the target location (if available in the intercepting node). 
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9.3 Provision of Intercept Related Information 

Figure 25 shows the transfer of intercept related information to the DF2. If an event for / from a mobile subscriber 
occurs, the PDG, WAG, or the AAA Server sends the relevant data to the DF2. 




Figure 25: Provision of Intercept Related Information 

9.3.1 X2-interface 

The following information needs to be transferred from the PDG, WAG or the AAA server to the DF2 in order to allow 
a DF2 to perform its functionality: 

- target identity (IMSI, NAI, or MSISDN); 

- events and associated parameters as defined in section 9.3.2 may be provided; 

- the target location (if available); 
Correlation number; 

- Quality of Service (QoS) identifier (if available). 

The IRI should be sent to DF2 using a reliable transport mechanism. 

9.3.2 3GPP WLAN Interworking LI Events and Event Information 

The following events are applicable to AAA Server: 

- I-WLAN Access Initiation; 
I-WLAN re-authentication, 
I-WLAN Access Termination; 

- I-WLAN Tunnel EstabHshment; 
I-WLAN Tunnel Disconnect; 

- Start of Intercept with I-WLAN Communication Active; 
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The following events are applicable to the PDG and WAG: 

- I-WLAN Tunnel Establishment; 

- I-WLAN Tunnel Disconnect; 

Start of Intercept with I-WLAN Communication Active. 

A set of possible elements as shown below is used to generate the events. Information associated with the events are 
transmitted from the PDG, WAG or AAA server to DF2. 

Note: Some of these parameters apply to the PDG or WAG and some apply to the AAA server. Parameters sent 
from the PDG, WAG or AAA server is dependent on what is available at the network element. 
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Table 3: Information Events for WLAN Interworking Event Records 



Element 


PDG 


AAA Server 


Observed MSISDN 

MSISDN of the target subscriber (monitored 

subscriber). 


Available, see TS 29.234 


Available, see TS 29.234 


Observed NAI 

NAI of the target subscriber (monitored subscriber). 


Not available 


Available, see TS 29.234 


Observed IMSI 

IIVISI of the target subscriber (monitored subscriber). 


Available, see TS 24.234 


Available, see TS 29.234 


Event type 

Description which type of event is delivered: l-WLAN 
Access Initiation, l-WLAN Access Termination, 1- 
WLAN Tunnel Establishment, l-WLAN Tunnel 
Disconnect, Start of Intercept with l-WLAN 
Communication Active. 


Available from ICE 


Available from ICE 


Event date 

Date of the event generation in the PDG or the AAA 

server. 


Available from ICE 


Available from ICE 


Event time 

Time of the event generation in the PDG or the AAA 
server. Timestamp shall be generated relative to the 
PDG or AAA server internal clock. 


Available from ICE 


Available from ICE 


WLAN UE Local IP address 
The WLAN UE Local IP addess of observed party. 
The WLAN UE Local IP address field specified in TS 
24.234 and lb 1 h RFC 2409, represents the IPv4/IPv6 
address of the WLAN UE in the WLAN AN. It is an 
address used to deliver the packet to a WLAN UE in a 
WLAN AN. Note that this address might be dynamic. 


Available, see TS 24.234 and 
IETF RFC 2409 


Not available 


WLAN UE MAC address 

The WLAN MAC address of the target subscriber. 

Note that this address might be dynamic and the 

validity of the MAC Address is outside of the scope of 

3GPP. 


Not available 


Available, see TS 29.234 


WLAN UE Remote IP address 
The WLAN UE Remote IP addess of observed party. 
The WLAN UE Remote IP address field specified in 
TS 24.234, represents the IPv4/IPv6 address of the 
WLAN UE in the network being accessed by the 
WLAN AN. It is an address used in the data packet 
encapsulated by the WLAN UE-initited tunnel and is 
the source address used by applications in the WLAN 
UE. Note that this address might be dynamic. 


Available, see TS 24.234 


Not available 


WLAN Access Point Name 
The W-APN of the access point. 


Available, see TS 24.234 


Available, see TS 29.234 


WLAN Operator Name 

The name of the WLAN operator name serving the 

target subscriber. 


Not available 


Available, see TS 29.234 


WLAN Location Name 

The name of the location of the WLAN serving the 
target subscriber (e.g., string like "coffee shop" or 
"airport", etc.). 


Not available 


Available, see TS 29.234 


WLAN Location Information 

Location Information regarding the WLAN as provided 
in RADIUS or DIAMETER signalling exchanged with 
the AAA server. 


Not available 


Available, see TS 29.234 


Correlation Number 

The correlation number is used to correlate CC and 

IRI. The correlation number is also used to allow the 

correlation of IRI records. In case of the AAA server, 

the Correlation Number is only used to correlate IRI 

records. 


Generated for LI by PDG 


Generated for LI by AAA server 


Network Element Identifier 

Unique identifier for the element reporting the ICE. 


Generated for LI by PDG 


Generated for LI by AAA server 


Initiator 

The initiator of the request either the network or the 

WLAN UE. 


Generated for LI by PDG 


Generated for LI by AAA server 
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NAS IP/IPv6 address 

The IP or IPv6 address of the NAS in the WLAN. 


Not available 


Available, see TS 29.234 


Visited PLMN ID 

Identity of the visited PLIVIN to which the user is 
terminating their WLAN tunnels or through which the 
user is establishing their WLAN tunnels. 


Not available 


Available, see TS 29.234 


Session Alive Time 

The amount of time in seconds during which the 

target subscriber can be registered for WLAN access. 


Not available 


Available, see TS 29.234 


Failed access reason 

Provides the reason for why a WLAN access attempt 

failed ("Authentication Failed"). 


Not available 


Available from ICE 


Session termination reason 

Provides a reason for why a WLAN access session is 

terminated. 


Not available 


Available, see TS 29.234 


Failed tunnel establishment reason 
Provides a reason for why a WLAN tunnel 
establishment failed ("Authentication failed" or 
"Authorization failed"). 


Available from ICE 


Available from ICE 


NSAPI 

Network layer Service Access Point Identifier 

The NSAPI information element contains an NSAPI 

identifying a PDP Context in a mobility management 

context specified by the Tunnel Endpoint Identifier 

Control Plane. 

This is a optional parameter to help DF/MF and LEA's 

to distinguish between the sending mobile access 

networks 


Optional available according 
23.234 Annex F; defined 29.060 
7.7.17 


Not available 
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Table 3a: Information Events for WLAN Interworking Event Records - WAG 



Element 


WAG 


Observed MSISDN 

MSISDN of the target subscriber (monitored 

subscriber). 


Available, see 3GPP TS 29.234 


Observed IMSI 

IIVISI of the target subscriber (monitored subscriber). 


Available, see 3GPP TS 29.234 


Event type 

Description which type of event is delivered: l-WLAN 
Tunnel Establishment, l-WLAN Tunnel Disconnect, 
Start of Intercept with l-WLAN Communication Active. 


Available from ICE 


Event date 

Date of the event generation in the PDG/WAG or the 

AAA server. 


Available from ICE 


Event time 

Time of the event generation in the PDG/WAG or the 
AAA server. Timestamp shall be generated relative to 
the PDG/WAG or AAA server internal clock. 


Available from ICE 


WLAN UE IP address 

The WLAN UE IP addess of observed party. The 
WLAN UE IP address field contains the IPv4/IPv6 
address (specified by 3GPP TS 29.234) of the WLAN 
UE tunnel endpoint as seen by the WAG. Note that 
this address might be dynamic. 


Available, see 3GPP TS 29.234 


WLAN PDG Tunnel Endpoint IP address 
The WLAN PDG Tunnel Endpoint IP address field 
contains the IPv4/IPv6 address of the PDG (as 
specified in 3GPP TS 29.234) as seen by the WAG. 
Note that this address might be dynamic. 


Available, see 3GPP TS 29.234 


WLAN Access Point Name 
The W-APN of the access point. 


Available, see 3GPP TS 29.234 


Correlation Number 

The correlation number is used to correlate CC and 
IRI. The correlation number is also used to allow the 
correlation of IRI records. 


Generated for LI by WAG 


Network Element Identifier 

Unique identifier for the element reporting the ICE. 


Generated for LI by WAG 


NAS IP/IPv6 address 

The IP or IPv6 address of the NAS in the WLAN. 


Available, see 3GPP TS 29.234 


Tunnel Protocol 

The Tunnel Protocol as defined in the Routing-Policy 

AVP in 3GPP TS 29.234. 


Available, see 3GPP TS 29.234 


Source Ports 

The list or range of source ports as specified in the 
Routing-Policy AVP provided by the AAA server in 
3GPP TS 29.234. 


Available, see 3GPP TS 29.234 


Destination Ports 

The list or range of destination ports as specified in 
the Routing-Policy AVP provided by the AAA server in 
3GPP TS 29.234. 


Available, see 3GPP TS 29.234 


Session Alive Time 

The amount of time in seconds during which the 

target subscriber can be registered for WLAN access. 


Available, see 3GPP TS 29.234 



9.4 



Structure of l-WLAN Events 



9.4.1 l-WLAN Access Initiation 

For I- WLAN Access Initiation including I-WLAN re-authentication, for both I- WLAN Access Initiation-event is 
generated. The elements, shown in Table 4, will be delivered to the DF2, if available, by the AAA server. 
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Table 4: l-WLAN Access Initiation - AAA Server 



Observed MSISDN 



Observed IMSI 



Observed NAI 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



WLAN Operator Name 



WLAN Location Name 



WLAN Location Information 



NAS I P/IPv6 Address 



WLAN UE MAC Address 



Visited PLMN ID 



Session Alive Time 



Failed Access reason 



9.4.2 WLAN Access Termination 

For WLAN Access Termination or the immediate purging of a user from a WLAN access, a WLAN access termination- 
event is generated. The elements, shown in Table 5, will be delivered to the DF2, if available, by the AAA server. 

Table 5: l-WLAN Access Termination - AAA Server 



Observed MSISDN 



Observed IMSI 



Observed NAI 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



WLAN Operator Name 



WLAN Location Name 



WLAN Location Information 



NAS I P/IPv6 Address 



WLAN UE MAC Address 



Session Termination reason 



9.4.3 l-WLAN Tunnel Establishment 

For I-WLAN Tunnel Establishment, a I-WLAN tunnel establishment-event is generated. The elements, shown in Table 
6, 6a, and Table 7, will be delivered to the DF2 if available, by the PDG, WAG or AAA server, respectively. 

Table 6: l-WLAN Tunnel Establishment - PDG 



Observed MSISDN 



Observed IMSI 



Observed NAI 



Event Type 



Event Time 



Event Date 



Correlation number 



WLAN UE Local IP address 



WLAN UE Remote IP address 



WLAN Access Point Name 



Network Element Identifier 



Failed tunnel establishment reason 



NSAPI (optional) 
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Table 6a: l-WLAN Tunnel Establishment - WAG 



Observed MSISDN 



Observed IMSI 



Event Type 



Event Time 



Event Date 



Correlation number 



WLAN UE IP address 



WLAN PPG Tunnel Endpoint IP address 



WLAN Access Point Name 



NAS IP/IPv6 address 



Tunnel Protocol 



Source Ports 



Destination Ports 



Session Alive Time 



Network Element Identifier 



Table 7: l-WLAN Tunnel Establishment - AAA Server 



Observed MSISDN 



Observed IMSI 



Observed NAI 



Event Type 



Event Time 



Event Date 



Correlation number 



WLAN Access Point Name 



Network Element Identifier 



Visited PLMN ID 



Failed tunnel establishment reason 



9.4.4 l-WLAN Tunnel Disconnect 

At I-WLAN Tunnel Disconnect, a I-WLAN tunnel disconnect event is generated. The elements, shown in Table 8, 8a, 
and Table 9, will be delivered to the DF2, if available, by the PDG, WAG or AAA server, respectively. 

Table 8: l-WLAN Tunnel Disconnect - PDG 



Observed MSISDN 



Observed IMSI 



Observed NAI 



Event Type 



Event Time 



Event Date 



Correlation number 



WLAN UE Local IP Address 



WLAN UE Remote IP address 



WLAN Access Point Name 



Network Element Identifier 



Initiator (optional) 
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Table 8a: l-WLAN Tunnel Disconnect - WAG 



Observed MSISDN 



Observed IMSI 



Event Type 



Event Time 



Event Date 



Correlation number 



WLAN UE IP address 



WLAN PPG Tunnel Endpoint IP address 



WLAN Access Point Name 



NAS IP/IPv6 address 



Tunnel Protocol 



Source Ports 



Destination Ports 



Network Element Identifier 



Table 9: l-WLAN Tunnel Disconnect - AAA Server 



Observed MSISDN 



Observed IMSI 



Observed NAI 



Event Type 



Event Time 



Event Date 



Correlation number 



Tunnel address of observed party 



WLAN Access Point Name 



Network Element Identifier 



Initiator (optional) 



This event will be generated if interception for a target is started and if the target has one or more active I-WLAN 
Access sessions or one or more l-WLAN Tunnels established. The elements, shown in Table 10,10a, and Table 11, will 
be delivered to the DF2, if available, by the PDG, WAG or AAA server, respectively. 



Table 10: Start of Intercept with l-WLAN Communication Active - PDG 



Observed MSISDN 



Observed IMSI 



Observed NAI 



Event Type 



Event Time 



Event Date 



Correlation Number 



WLAN UE Local IP Address 



WLAN UE Remote IP address 



WLAN Access Point Name 



Network Element Identifier 
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Table 10a: Start of Intercept with l-WLAN Communication Active - WAG 



Observed MSISDN 



Observed IMSI 



Event Type 



Event Time 



Event Date 



Correlation number 



WLAN UE IP address 



WLAN PPG Tunnel Endpoint IP address 



WLAN Access Point Name 



NAS IP/IPv6 address 



Tunnel Protocol 



Source Ports 



Destination Ports 



Session Alive Time 



Network Element Identifier 



Table 11 : Start of Intercept with l-WLAN Communication Active - AAA Server 



Observed MSISDN 



Observed IMSI 



Observed NAI 



Event Type 



Event Time 



Event Date 



Correlation Number 



WLAN Access Point Name 



Network Element Identifier 



WLAN Operator Name 



WLAN Location Name 



WLAN Location Information 



NAS IP/IPv6 address 



Visited PLMN ID 
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10 Interception of Multimedia Broadcast/MultiCast 
Service (MBMS) 

MBMS provides video or similar streamed services via either point to point multicast or cell broadcast mechanisms 
between an operator content server (BM-SC) and UEs as defined in TS 23.246 [20]. This section details the stage 2 
Lawful Interception requirements for MBMS. 

Note:- Generic Broadcast services where the UE receives the broadcast in IDLE mode and there is no subscription 
relationship between the UE and the BM-SC are out of scope. In addition 3^^ party BM-SC services where the operator 
is not responsible for content encryption and subscription management are out of scope. 

Figure 10.1 shows the extract from the reference configuration which is relevant for the invocation of the Lawful 
Interception of the MBMS Services. 
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Figure 10.1 : Functional model for invocation of Lawful Interception for MBMS Services 

10.1 Provision of Content of Communications 

Interception of the content of communications for MBMS services if available, may be provided by the underlying 
transport bearer interception functionality (e.g. GSN, PDG or NGN network) and is therefore subject to the current 
transport bearer interception functionality detailed in other parts of this specification. 

10.2 Provision of Intercept Related Information 

Figure 10.2 shows the transfer of intercept related information to the DF2. If an event for / from a mobile subscriber 
occurs, the BM-SC shall send the relevant data to the DF2. 
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Figure 10.2: Provision of Intercept Related Information 



10.2.1 X2-interface 

The following information needs to be transferred from the BM-SC to the DF2 in order to allow a DF2 to perform its 
functionality: 

- target identity; 

- events and associated parameters as defined in clauses 10.3.2 may be provided; 

- For Further Study:- Encryption parameters (keys and associated parameters for decrypting CC), if available and 
necessary. 

The IRI should be sent to DF2 using a reliable transport mechanism. 



10.2.2 MBMS LI Events and Event Information 

Intercept Related Information (Events) are necessary are necessary for the following; 

Service Joining. 

Service Leaving 

Start of Interception with Service Active 

Subscription Activation 

Subscription Modification 

Subscription Termination 

Events shall include changes resulting from direct communication between the UE and BM-SC and off-line 
subscription changes (e.g. changes made by operator customer services on behalf of the subscriber). 

A set of possible elements as shown in Table 10.2.2 are used to generate the events. 
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Table 10.2.2: Information Events for MBMS Event Records 



Element 



Observed IMSI 

IMSI of the target subscriber (monitored subscriber). 



Observed Other Identity 

Other Identity of the target subscriber (monitored subscriber). 



Event type 

Description which type of event is delivered:- Service Joining; Service Leaving; Subscription 

Activation; Subscription Modification; Subscription Termination. 



Event date 

Date of the event generation in the BM-SC. 



Event time 

Time of the event generation in the BM-SC. Timestamp shall be generated relative to the BM-SC 

server internal clock. 



MBMS Subscribed Service 

Details of the MBMS Service to which the Target Subscriber has subscribed. 



MBMS Service Joining Time 
Requested MBMS Service Joining Time 



MBMS Service Subscription List 

List of all users subscribed to MBMS Service to which Target Subscriber has requested Joining. 

Correlation Number 

The correlation number is used to correlate CC and IRI. The correlation number is also used to allow 

the correlation of IRI records. 



Network Element Identifier 

Unique identifier for the element reporting the ICE. 



Initiator 

The initiator of the request either the UE or Off-line BM-SC access (eg customer services agent or 

internet). 



Visited PLMN ID 

Identity of the visited PLMN to which the user is registered 



APN 

Access Point Name on which this IP multicast address is defined. 



Multicast/Broadcast Mode 

MBMS bearer service in broadcast or multicast mode 



IP IP/IPv6 multicast address(multicast mode only) 

IP or IPv6 multicast address identifying the MBMS bearer described by this MBMS Bearer Context. 



List of Downstream Nodes 

List of downstream nodes that have requested the MBMS bearer service and to which notifications 

and MBMS data have to be forwarded. 



MBMS Leaving Reason 

Indicates whether UE initiated/requested leaving, or whether BM-SC/network terminated the Service 

to the UE (e.g. GSN session dropped or BM-SC subscription expired etc). 



NOTEl:- Generation of Correlation Number is FFS. 
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1 0.3 Structure of MBMS Events 
10.3.1 Service Joining 

For MBMS Service Joining, a Service Joining event is generated. The elements, shown in Table 10,3.1 will be delivered 
to the DF2, if available, by the BM-SC. A new Service Joining Event shall be generated for each individual service 
joined. 



Table 10.3.1 : Service Joining 



Observed IMSI 


Event Type 


Event Time 


Event Date 


MBMS Subscribed Service 


MBMS Service Joining Time 


Network Element Identifier 


Initiator 


IP/IPv6 Multicast Address 


(If Applicable) 


Visited PLMN ID 


(If Applicable) 


Multicast/Broadcast Mode 


APN (If Available) 


List of Downstream Nodes 


(If Available) 


MBMS Service Subscription List 


(Optional) 



10.3.2 Service Leaving 



For MBMS Service Leaving, a Service Leaving event is generated. The elements, shown in Table 10.3.2 will be 
delivered to the DF2, if available, by the BM-SC. A new Service Leaving Event shall be generated for each individual 
service leaving. 



Table 10.3.2: Service Leaving 



Observed IMSI 


Event Type 


Event Time 


Event Date 


MBMS Subscribed Service 


Network Element Identifier 


Initiator 


IP/IPv6 Multicast Address 


(If Applicable) 


Visited PLMN ID 


(If Applicable) 


MBMS Service Subscription List 


(Optional) 


MBMS Service Leaving Reason 
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10.3.3 Start of Interception with Service Active 

For Start of Interception where MB MS Service Joining has already occurred prior to start of interception, a Start of 
Interception with Service Active event is generated. The elements, shown in Table 10.3.3 will be delivered to the DF2, 
if available, by the BM-SC. A new Start of Interception with Service Active Event shall be generated for each 
individual service the target is subscribed to. 



Table 10.3.3: Start of Interception with Service Active 



Observed IMSI 


Event Type 


Event Time 


Event Date 


MBMS Subscribed Service 


IVIBIVIS Service Joining Time 


Network Element Identifier 


Initiator 


IP/IPv6 Multicast Address 


(If Applicable) 


Visited PLMN ID 


(If Applicable) 


Multicast/Broadcast Mode 


APN (If Available) 


List of Downstream Nodes 


(If Available) 


MBMS Service Subscription List 


(Optional) 



1 0.3.4 Subscription Activation 

For MBMS Subscription Activation, a Subscription Activation event is generated. The elements, shown in Table 10.3.4 
will be delivered to the DF2, if available, by the BM-SC. If Subscription Activation is performed simultaneously for 
more than one service, a separate event shall be generated for each service activated. 



Table 10.3.4: Subscription Activation 



Observed IMSI 


Event Type 


Event Time 


Event Date 


MBMS Subscribed Service 


Network Element Identifier 


Initiator 


IP/IPv6 Address 


(If Applicable) 


Visited PLMN ID 


(If Applicable) 


MBMS Service Subscription List 


(Optional) 
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10.3.5 Subscription Modification 

For MBMS Subscription Modification, a Subscription Modification event is generated. The elements, shown in Table 
10.3.5, will be delivered to the DF2, if available, by the BM-SC. If Subscription Modification is performed 
simultaneously for more than one service, a separate event shall be generated for each service modified. 



Table 10.3.5: Subscription Modification 



Observed IMSI 


Event Type 


Event Time 


Event Date 


MBMS Subscribed Service 


Network Element Identifier 


Initiator 


IP/IPv6 Address 


(If Applicable) 


Visited PLMN ID 


(If Applicable) 


MBMS Service Subscription List 


(Optional) 



1 0.3.6 Subscription Termination 



For MBMS Subscription Termination, a Subscription Termination event is generated. The elements, shown in Table 
10.3.6 will be delivered to the DF2, if available, by the BM-SC. If Subscription Termination is performed 
simultaneously for more than one service, a separate event shall be generated for each service performed. 



Table 10.3.6: Subscription Modification 



Observed IMSI 


Event Type 


Event Time 


Event Date 


MBMS Subscribed Service 


Network Element Identifier 


Initiator 


IP/IPv6 Address 


(If Applicable) 


Visited PLMN ID 


(If Applicable) 


MBMS Service Subscription List 


(Optional) 
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1 1 IMS Conference Services 

11.1 Background for IMS Conference Services 

The entire clause 7A.X is a national option and is subject to national regulations. The covered cases are where the 
conference services are in the domain of the intercepting operator. The following cases are covered. 

1. A target" s conference call is the subject of interception. This may be where the intercept subject is the head of 
the conference. IRI and CC for this conference is reported. The following are examples of information that is 
reported. 

a. For example, the starting and ending of a conference as well as any parties joined or removed from 
the conference call are reported. 

b. Reporting of CC for held conferences initiated by the intercept subject. 

2. A conference that itself is directly the target of interception. This case is applicable only provided that the 
conference is identified by a proper identity for LI in IMS domain (Conference URI or Conference Factory 
URI). The IRI and CC for this conference is reported. 

a. For example, the starting and ending or a conference as well as any parties joined or removed from 
the conference call are reported. 

The case when an intercept subject joins an associate" s conference is for further study. 

The key elements for interception of conference services are the AS/MRFC and MRFP. IRI associated with the 
conference services that are to be intercepted is reported by the AS/MRFC while the CC associated with the conference 
service is reported by the MRFP. 

1 1 .2 Provision of Intercepted Content of Communication - IMS 
Conference Services 

The access method for the delivery of IMS conference services intercept content of communication [CC] is based on 
duplication of packets without modification at the MRFP for conferences that are to be intercepted. The duplicated 
packets with additional information in the header, as described in the following sections, are sent to DF3 for further 
delivery. For a target" s conference call held by the target, the MRFP duplicates the CC for conference call held by the 
target, in accordance with national regulations. For a conference call that is the target of interception, the MRFP 
duplicates the CC for the conference. 

NOTE: There is an issue of combined versus separated delivery. With combined delivery, one method for 

intercepting the CC would be to create a virtual conference port (not visible to others) through which a 
copy of the combined CC could be passed over the X3 interface (Y conferees means 1 content stream). 
With the separated delivery approach, each conferee" s connection to the conference would need to be 
intercepted and passed over the X3 interface (Y conferees, means Y pairs of bi-directional content 
streams). 
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Figure 11.1: Configuration for interception of IMS Conference Services CC 

11.2.1 X3-intei1ace 

In addition to the intercepted content of communications, the following information may need to be transferred from the 
MRFP to the DF3 in order to allow the DF3 to perform its functionality: 

- target identity; 

- correlation number; 

Note: Information passed between the MRFC and MRFP for correlation has to uniquely identify the mixing of 
associated media streams for a conference distinct from any other mixing or media handling. An example is how 
H.248 uses a context identifier to do this. 

- time stamp - optional; 

- direction (incoming or outgoing stream) - optional. 

1 1 .3 Provision of Intercept Related Information for IMS 
Conference Service 

Figure 1 1.2 shows the transfer of intercept related information to the DF2. If an event for / from or associated with a 
conference server occurs, the AS/MRFC sends the relevant data to the DF2. 
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Figure 11.2: Provision of Intercept Related Information for IMS Conferencing 

11.3.1 X2-interface 

The following information may need to be transferred from the AS/MRFC to the DF2 in order to allow a DF2 to 
perform its functionality: 

- target identity (IMPU, IMPI, Conference URI); 

- events and associated parameters as defined in section 7A6.2.2 may be provided; 
Correlation number; 

- Quality of Service (QoS) identifier (if available) associated with the parties bearer connection to the conference. 
The IRI should be sent to DF2 using a reliable transport mechanism. 

1 1 .3.2 IMS Conference Events and Event Information 

The following events are applicable to AS/MRFC: 

- Start of Conference 

- Party Join; 

- Party Leave; 

- Start of Intercept on an Active Conference; 

- End of Conference; 

- Creation of Conference; 

- Update of Conference. 

NOTE: Reporting of Floor Control events from the MRFP is FES. 

A set of possible elements as shown below that may be reported with the events. Information associated with the events 
is transmitted from the AS/MRFC server to DF2. 
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Table 11.3.1 Information Elements for Conference Events 



Element 



Observed IMPU 

IMS Public User identity (IMPU) of the target subscriber (monitored subscriber). In some cases, this identity may 

not be observed by the MRFC. Also see Note 1 . 



Observed IMPI 

IMS Private User identity (IMPI) of the target subscriber (monitored subscriber). In some cases, this identity may 

not be observed by the MRFC. Also see Note 1 . 



Observed Other Identity 

Target Identifier with the NAI of the target subscriber (monitored subscriber). 



Observed Conference URI 

Observed SIP URI of the target conference. [Editor"s Note: See how to resolve having this parameter along with 

Conference URI in the subsequent tables]. 



Event type 

Description which type of event is delivered: Start of Conference, Party Join, Party Leave, Start of Intercept on an 

Active Conference, Conference End. 



Event date 

Date of the event generation in the AS/MRFC. 



Event time 

Time of the event generation in the AS/MRFC server. Timestamp shall be generated relative to the AS/MRFC 

internal clock. 



Correlation Number 

The correlation number is used to correlate CC and IRI. The correlation number is also used to allow the correlation 

of IRI records. 



Network Element Identifier 

Unique identifier for the element reporting the ICE. 



Initiator 

The initiator of a request, for example, the target, the network, a conferee. 



Join Party Id 

Identity of the party successfully joining or attempting to join the conference. 



Leave Party Id 

Identity of the party leaving or being requested to leave the conference. 



List of Potential Conferees 

Identifies each of the parties to be invited to a conference or permitted to join the conference (if available). 



Conference URI 

A URI associated with the conference being monitored. 



Temporary Conference URI 

A temporarily allocated URI associated with a conference being monitored. 



List of Conferees 

Identifies each of the conferees currently on a conference (e.g., via SIP URI or TEL URL). 



Failed conference start reason 

Provides a reason for why a conference start attempt failed. 



Failed Party Join reason 

Provides a reason for why a party join attempt failed. 



Reason for Party Leaving 

Provides a reason for the party leaving. 



Failed Party Leave reason 

Provides a reason for why a party leave attempt failed. 



Conference End Reason 

Provides a reason for why the conferece ended. 



Potential Conference Start Time 

The expected start time of the conference, if start time information is configured in the system. 



Potential Conference End Time 

The expected end time of the conference, if such end information is configured in the system. 



Recurrence Information 

Information indicating the recurrence pattern for the event as configured for the created conference. 



Identity(ies) of Conference Controller 

Identifies the parties that have control privileges on the conference, if such information is configured in the system. 



Editor" s Note: We should consider whether H.248 Context Identifier should be added to help correlate CII and CC 
NOTE: In most cases, either the IMPU or IMPI may be available, but not necessarily both. 
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1 1 .3.3 Structure of Conference Events 
1 1 .3.3.1 Start of Conference 

For the start of a conference, a Start of Conference-event is generated in the following cases: 

- When a target provisioned or requested conference or a conference that is the target of interception is started. 
The conference is started when the first party is joined to the conference. 

The fields, shown in Table 11.3.2, will be deHvered to the DF2, if available, by the AS/MRFC. 

Table 1 1 .3.2. Start of Conference 



Observed IMPU 



Observed IMPI 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Correlation Number 



List of Potential Conferees 



List of Conferees 



Conference URI 



Temporary Conference URI 



Failed Conference Start reason 



11.3.3.2 Party Join 

A Party Join-event is generated in the following cases: 

- When a party successfully joins the target" s conference or a conference that is the target of interception. 

- When a party unsuccessfully attempts to join the target" s conference or a conference that is the target of 
interception. 

The fields, shown in Table 11.3.3, will be deHvered to the DF2, if available, by the AS/MRFC. 

Table 11.3.3 Party Join 



Observed IMPU 



Observed IMPI 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Correlation Number 



Join Party ID 



Initiator of the Party Join request 



Conference URI 



List of Conferees - see note 



Temporary Conference URI 



Failed Party Join reason (e.g., not available) 



NOTE: The reporting of the List of Conferees is not required when a party joins a target" s conference. 

1 1 .3.3.3 Party Leave 

A Party Leave-event is generated in the following cases: 

- When a party leaves a target" s conference or a conference that is the target of interception. This includes 

situations where the party simply disconnects themselves from the conference (hang up), the party" s connection 
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to the conference is broken (e.g., party leaves wireless coverage area), and where the party" s connection to the 
conference is forcefully terminated due to another party" s drop request or operator policy. 

- When a party unsuccessfully attempts to drop another party from the conference. This applies to all the 
conferencing scenarios described earlier. 

The fields, shown in Table 11.3.4, will be dehvered to the DF2, if available, by the AS/MRFC. 

Table 1 1 .3.4 Party Leave 



Observed IMPU 



Observed IMPI 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Correlation Number 



Leave Party ID 



Initiator of the Party Leave request 



Conference URI 



Temporary Conference URI 



Reason for Party Leaving - see Note. 



Success/Failure Indication for Leave Attempt 



NOTE: A party could drop off the conference for normal reasons (e.g., just hang up) or could be removed by a 
conference controller. 

1 1 .3.3.4 Start of Intercept on an Active Conference 

A Start of Intercept on an Active Conference-event (a conference with at least one party) is generated for the following 
cases: 

- When interception is activated during an ongoing conference call. 

The fields, shown in Table 11.3.5, will be delivered to the DF2, if available, by the AS/MRFC. 



Table 11.3.5 Start of Intercept with an Active Conference 



Observed IMPU 



Observed IMPI 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Correlation Number 



List of Conferees 



Conference URI 



Temporary Conference URI 



1 1 .3.3.5 Conference End 

When a conference is terminated, a Conference End-event is generated in the following cases: 

- When a target provisioned or requested conference is terminated. This occurs when the last party on the 
conference leaves or the conference is terminated by the conference server. 
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The fields, shown in Table 11.3.6, will be delivered to the DF2, if available, by the AS/MRFC. 

Table 11.3.6 End of Conference 



Observed IMPU 



Observed IMPI 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Correlation Number 



Initiator (e.g., target, network, conferee) - see 
Note 



Conference URI 



Temporary Conference URI 



Conference End reason 



NOTE: The initiator can indicate that the decision to end the conference was the target or conferee, if the target or 
conferee sends an explicit command to end the conference. It could be the network, if it determines the 
time length for the conference is ended. 

1 1 .3.3.6 Creation of Conference 

When a conference is created, a Creation of Conference-event is generated in the following cases: 

- When a target successfully provisions or requests a conference to be created. 

This event is applicable provided that at least one of the two identities (IMPU, IMPI) are available at the AS/MRFC. 
Other scenarios, such as in case the creation is done via a web interface and the IMPU/IMPI cannot be seen are outside 
the scope of this specification. 

The fields, shown in Table 11.3.7, will be deHvered to the DF2, if available, by the AS/MRFC. 

Table 1 1 .3.7 Creation of Conference 



Observed IIVIPU 



Observed IIVIPI 



Observed Other Identity 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



List of Potential Conferees (if available) 



Conference URI 



Temporary Conference URI 



Potential Conference Start Date and Time (if 
available) - Note 1 



Potential Conference End Date and Time (if 
available) - See Note 1 



Recurrence Information - See Note 2. 



Identity(ies) of Conference Controller 



NOTE 1 : This information is statically provisioned information and is not correlated to the timestamp requirements 
for LI. 

NOTE 2: Recurrence information indicates the frequency or pattern of recurrence of the created conference. 

1 1 .3.3.7 Update of Conference 

When a conference is updated, an Update of Conference-event is generated in the following cases: 
- When a target successfully provisions or requests a conference to be updated. 
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This event is applicable provided that at least one of the two identities (IMPU, IMPI) are available at the AS/MRFC. 
Other scenarios, such as in case the creation is done via a web interface and the IMPU/IMPI cannot be seen are outside 
the scope of this specification. 

The fields, shown in Table 11.3.8, will be deHvered to the DF2, if available, by the AS/MRFC. 



Table 11.3.8 Update of Conference 



Observed IMPU 



Observed IMPI 



Observed Other Identity 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



List of Potential Conferees (if available) 



Conference URI 



Temporary Conference URI 



Potential Conference Start Date and Time (if 
available) - Note 1 



Potential Conference End Date and Time (if 
available) - See Note 1 



Recurrence Information - See Note 2. 



Identity(ies) of Conference Controller 



NOTE 1 : This information is statically provisioned information and is not correlated to the timestamp requirements 
for LL 

NOTE 2: Recurrence information indicates the frequency or pattern of recurrence of the created conference. 
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12 Lawful Interception for Evolved Packet System 
12.1 LI functional architecture for EPS 

In addition to the reference configurations applicable to PS interception, the following figures contain the reference 
configuration applicable for the lawful interception in the EPS nodes ([22], [23]): 
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Figure 1 2.1 .1 : MME Intercept configuration 
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Figure 1 2.1 .2: HSS Intercept configuration 
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Figure 12.1.3: S-GW, PDN-GW Intercept configuration 

The definition of the LI functional entities (ADMF, DF, MF, LEMF) and interfaces (X, HI) is the same as for 3G as 
given in chapter 4. 

Procedures for LI activation, deactivation and interrogation are the same as for 3G as given in chapter 5, provided that: 

the 3G ICE is replaced by the EPS node; 

the proper target identity applicable to EPS node is used. 

When the SGSN is used as node in the Evolved Packet System, to support 2G/3G access and mobility between E- 
UTRAN and pre-E-UTRAN 3GPP radio access technologies, it is subjected to all the related PS requirements specified 
throughout this document. 

When the ePDG and the AAA server are used as node in the Evolved Packet System, to support untrusted Non-3 GPP IP 
Access, they are subjected to all the requirements specified in this document for the PDG and the AAA server for the 
case of I-WLAN interworking. 

12.2 Functional requirements for LI in case of E-UTRAN access 
and GTP based S5/S8. 

The target identities for interception at the MME, HSS, S-GW and PDN-GW are IMSI, MSISDN and ME (Mobile 
Equipment) Identity. 

NOTE 1 : Details about information included in the ME Identity and the relationship with IMEI needs to be 

considered. The term Mobile Equipment Identity is used in this text according to [22] so as to indicate 
that the EPC should support multiple equipment identity formats (e.g. those from 3GPP2, WiMAX, etc) 
as well as the IMEISV. 

NOTE 2: In case of local breakout the PDN Gateway is in the VPLMN. In this case LI relevant information in the 
H-PLMN might be available at the H-PCRF. Interception at the H-PCRF is FES. 

NOTE 3: In case the ME Identity and/or MSISDN is not available in a node, interception based on the missing 
identity is not applicable at that node. 

NOTE 4: MSISDN is a possible identity available in the EPC nodes, which may be provided by the HSS to the 
MME and then forwarded to the S-GW/PDN-GW. 

As the MME only handles control plane, interception of Content of Communication is applicable only at the S-GW and 
PDN-GW. As the HSS only handles signaling, interception of Content of Communication is not applicable at this node. 
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LI in the PDN-GW is a national option. 

For the deHvery of the CC and IRI the S-GW and/or, per national option PDN-GW provides correlation number and 
target identity to the DF2 and DF3 which is used there in order to select the different LEAs where the product shall be 
delivered. 

The correlation number is unique in the whole PLMN and is used to correlate CC with IRI and the different IRI's of one 
EPS bearer. 

The correlation number shall be generated by using existing parameters related to the EPS bearer. 

NOTE 5: If interception has been activated for both parties of the Packet Data communication both CC and IRI will 
be delivered for each party as separate intercept activity. 

Location Dependent Interception for EPC is FES. 

12.2.1 Provision of Intercept Related Information 

Intercept Related Information (Events) shall be sent at the Mobile Entity Attach, Mobile Entity Detach, Tracking Area 
Update, Bearer activation (valid for both Default and Dedicated bearer). Start of Intercept with bearer active. Bearer 
Modification, Bearer Deactivation, Serving Evolved Packet System (applicable to the HSS), UE requested PDN 
connectivity, UE requested PDN disconnection, UE Requested Bearer Resource Allocation, UE Requested 
Modification. 

Serving Evolved Packet System event reporting is a national option. 

12.2.1.1 X2-interface 

The following information needs to be transferred from the EPS nodes or the HSS to the DF2 in order to allow a DF2 to 
perform its functionality: 

- target identity (IMSI, MSISDN, ME identity); 

- events and associated parameters as defined in clause 12.2.1.2 and 12.2.3 may be provided; 

- the target location (if available) or the I As in case of location dependent interception; 
correlation number; 

- Quality of Service (QoS) information (if available); 

- encryption parameters (keys and associated parameters for decrypting CC), if available and necessary. 
The IRI should be sent to DF2 using a reliable transport mechanism. 

12.2.1.2 Structure of the events 

There are several different events in which the information is sent to the DF2 if this is required. Details are described in 
the following clause. The events for interception are configurable (if they are sent to DF2) in the EPC nodes or the HSS 
and can be suppressed in the DF2. The network procedures for which the events are generated are defined in [22]. 

The following events are applicable to the MME: 

- Attach; 

- Detach; 

- Tracking Area Update; 

- UE requested PDN connectivity; 

- UE Requested PDN disconnection. 

The following events are applicable to the Serving GW and PDN GW: 
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- Bearer activation (valid for both Default and Dedicated bearer); 

- Start of intercept with bearer active; 

- Bearer modification; 

- Bearer deactivation; 

- UE Requested Bearer Resource Modification. 
The following events are applicable to the HSS: 

Serving Evolved Packet System. 

A set of elements as shown below can be associated with the events. The events trigger the transmission of the 
information from the nodes to DF2. Available lEs from this set of elements as shown below can be extended in the 
nodes, if this is necessary as a national option. DF2 can extend available information if this is necessary as a national 
option. 
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Observed MSISDN 

MSISDN of the target subscriber (monitored subscriber). 



Observed IIVISI 

IIVISI of the target subscriber (monitored subscriber). 



Observed IVIE Id 

IVIE Id of the target subscriber (monitored subscriber); when it coincides with the IIVIEI, it shall be checked for each 

activation over the radio interface. 



Event type 

Indicates which type of event is delivered: Attach, Detach, Tracking Area Update, UE requested PDN connectivity, 
UE Requested PDN disconnection, UE Requested Bearer Resource Modification, Bearer activation. Start of intercept 
with bearer active. Bearer deactivation. Bearer modification. Serving Evolved Packet System. 



Event date 

Date of the event generation in the ICE. 



Event time 

Time of the event generation in the ICE. Timestamp shall be generated relative to ICE internal clock. 



PDN Type 

Indicates the used IP version (IPv4, IPv4/IPv6, IPv6), including possible reason for modification by the network. 



Protocol Configuration Options 

Are used to transfer parameters between the UE and the PDN-GW (e.g. Address Allocation Preference by DHCP). 



Attach type 

Indicates the type of attach (may carry indication of handover in case of mobility with non-3GPP access). 



Location Information 

Location Information is the Tracking Area Identity (TAI), TA List assigned to the UE, E-CGI and/or location area 
identity that is present at the node at the time of event record production. In case of Tracking Area Update event, the 
last visited TAI of the UE may be applicable. 



PDN address(es) 

The UE IP address(es) for the PDN connection. 



APN 

The Access Point Name used for the connection; in unsuccessful cases this may be the APN requested by the UE. 



RAT type 

The Radio Access Type 



APN-AMBR 

The Aggregate Maximum Bit Rate for the APN. 



Handover indication 

Provides information that the procedure is triggered as part of a handover. 



Procedure Transaction Identifier 

Identifies a set of messages belonging to the same procedure; the parameter is dynamically allocated by the UE. 



EPS bearer identity 

An EPS bearer identity uniquely identifies an EPS bearer for one UE accessing via E-UTRAN. The EPS Bearer 

Identity is allocated by the MME. 



Bearer activation/deactivation type 

Indicates the type of bearer being activated/deactivated, i.e. default or dedicated. 



Linked EPS bearer identity 

Indicates, in case of dedicated bearer, the EPS bearer identity of the default bearer. 



Initiator 

The initiator of the procedure, either the network or the UE. 



Switch off indicator 

Indicates whether a detach procedure is due to a switch off situation or not. 



Detach type 

Parameter sent by the network to the UE to indicate the type of detach. 



Traffic Flow Template (TFT) 

The EPS bearer traffic flow template (TFT) is the collection of all packet filters associated with that EPS bearer. 



Traffic Aggregate Description (TAD) 

The TAD consists of the description of the packet filter(s) for the traffic flow aggregate. 



Serving MME address 

The address of the serving MME. 



Old Location Information 

Location Information of the subscriber before Tracking Area Update. 



Correlation Number 

The correlation number is used to correlate CC and IRI. 



Network Element Identifier 

Unique identifier for the ICE reporting the event. 



Failed attach reason 

Reason for failed attach of the target subscriber. 



Failed bearer activation reason 

Reason for failed bearer activation for the target subscriber. 



Failed UE requested Bearer Modification reason 
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The reason for failure of an UE requested Bearer Modification. 



lAs 

The observed Interception Areas. 



Bearer Deactivation cause 

The cause of deactivation of the PDP context. 



EPS Bearer QoS 

This field indicates the Quality of Service associated with the Bearer procedure. 



Request type 

Indicates the type of request in an UE requested PDN connectivity, i.e. initial request or handover. 



12.2.2 X3-interface 

The access method for the deHvering of S-GW and/or PDN-GW Intercept Product is based on dupHcation of packets 
without modification at the S-GW and/or PDN-GW. The dupHcated packets with additional information in a header are 
sent to DF3 for further deHvery to the LEA. 
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Figure 12.2.2.1 : Configuration for interception of S-GW/PDN-GW product data 

In addition to the intercepted content of communication, the following information needs to be transferred from the S- 
GW and/or the PDN-GW to the DF3 to perform its functionality: 

target identity; 

correlation number; 

time stamp (optional); 

direction (indicates whether T-PDU is MO or MT) - optional; 

the target location (if available) or the lAs in case of location dependent interception. 

NOTE: location dependent interception for EPC is FFS. 
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12.2.3 EPS related events 



12.2.3.1 



Attach 



When an attach activation is generated from the mobile an attach event is generated by the MME. These elements will 
be delivered to the DF2 if available: 



Observed MSISDN 



Observed IMSI 



Observed ME Id 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Location Information 



Failed attach reason 



lAs (if applicable) 



PDN Type 



APN 



Protocol Configuration Options 



Attach type 



EPS bearer identity 



12.2.3.2 Detach 

For detach a detach-event is generated. The following elements will be delivered by the MME to the DF2 if available: 



Observed MSISDN 



Observed IMSI 



Observed ME Id 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Location Information 



lAs (if applicable) 



Detach initiator 



Switch off indicator 



Detach type 



12.2.3.3 



Bearer activation 



When a bearer activation is generated a bearer activation-event is generated by the S-GW/PDN-GW. These elements 
will be delivered to the DF2 if available: 
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Observed MSISDN 



Observed IMSI 



Observed ME Id 



RAT type (note 1 ) 



PDN address(es) (note 1) 



PDN type (note 1) 



Event Type 



Event Time 



Event Date 



Correlation number 



APN (Access Point Name) (note 1) 



Bearer activation Type (default, dedicated) 



Network Element Identifier 



Location Information 



Failed bearer activation reason 



lAs (if applicable) 



EPS bearer QoS (note 2) 



APN-AMBR (note 3) 



EPS bearer id (NSAPI) 



Protocol Configuration Options 



Initiator 



Procedure Transaction Identifier 



Linked EPS bearer identity (note 2) 



Traffic Flow Template(s) (TFT) (note 1) 



Handover indication 



NOTE 1 : Only in case of default bearer activation. 

NOTE 2: In case of unsuccessful default bearer activation, the parameter carries the requested EPS bearer QoS, 
otherwise it carries the EPS bearer QoS associated to the established bearer. 

NOTE 3: In case of unsuccessful default bearer activation, the parameter carries the subscribed APN-AMBR, 
otherwise it carries the APN-AMBR used for the established bearer. 



12.2.3.4 



Bearer deactivation 



When a bearer deactivation is generated a bearer deactivation-event is generated by the S-GW/PDN-GW. These 
elements will be delivered to the DF2 if available: 



Observed MSISDN 



Observed IMSI 



Observed ME Id 



Event Type 



Event Time 



Event Date 



Correlation number 



Bearer deactivation Type (default, dedicated) 
Network Element Identifier 



Location Information 



lAs (if applicable) 



EPS bearer id 



Initiator 



Procedure Transaction Identifier 



Bearer deactivation Cause (note ) 



In case all the bearers belonging to the same PDN connection are released at the same time, one event shall be sent for 
each bearer. 

NOTE : Cause can be present e.g. in case of inter S-GW TAU, when the new S-GW sends a bearer deactivation 
request to the old S-GW. 
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12.2.3.5 



Bearer modification 



When a bearer modification is detected, a bearer modification event shall be generated. These elements will be 
deUvered by the S-GW/PDN-GW to the DF2 if available: 



Observed MSISDN 



Observed IMSI 



Observed ME Id 



Event Type 



Event Time 



Event Date 



Correlation number 



Network Element Identifier 



Location Information 



lAs (if applicable) 



Initiator 



EPS Bearer QoS (Note 1) 



EPS bearer id 



Procedure Transaction Identifier 



RAT type 



APN-AMBR (Note 2) 



Traffic Flow Template(s) (TFT) 



Handover indication 



NOTE 1: In case of unsuccessful default bearer modification, the parameter carries the requested EPS bearer QoS, 
otherwise it carries the EPS bearer QoS associated to the modified bearer. 

NOTE 2: In case of unsuccessful default bearer modification, the parameter carries the subscribed APN-AMBR, 
otherwise it carries the APN-AMBR used for the modified bearer. 



12.2.3.6 



Start of interception with active bearer 



This event will be generated if interception for a target is started and if the target has at least the default bearer active. If 
more then one bearer is active, for each of them an event record is generated. The parameters which are defined for 
bearer activation (see related section) will be sent, if available, by the S-GW/PDN-GW to the DF2. 

As an option, in case the event is sent due to a change of the involved S-GW, the new S-GW may provide as additional 
parameter, the 'old location information'. However, the absence of this information does not imply that interception has 
not started in the old location S-GW for an active bearer. 



12.2.3.7 



Tracking Area Update 



For each TA update an update-event with the elements about the new location is generated. New MME shall send the 
event, and the old MME may optionally send the event as well. These elements will be delivered to the DF2 if 
available: 



Observed MSISDN 



Observed IMSI 



Observed ME 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Location Information (only for the new MME) 
Old Location Information (only for the old MME) 
lAs (if applicable) 



Failure reason 
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12.2.3.8 Serving Evolved Packet System 

The Serving Evolved Packet System report event is generated at the HSS, when the HSS has detected that the intercept 
subject has roamed. The elements will be delivered to the DF2 if available: 



Observed MSISDN 



Observed IMSI 



Observed ME 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Serving IVIIVIE Address 



12.2.3.9 UE requested PDN connectivity 

When a PDN connectivity is requested from the mobile to allow multiple PDN connections ([22]), an UE requested 
PDN connectivity event is generated by the MME. These elements will be delivered to the DF2 if available: 



Observed IVISISDN 



Observed IIVISI 



Observed IVIE 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Location Information 



APN 



Request type 



PDN type 



Failed reason 



lAs (if applicable) 



PDN Address(es) 



Protocol Configuration Options 



EPS bearer identity 



12.2.3.10 UE requested PDN disconnection 

When a PDN disconnection is requested from the mobile to request for disconnection from one PDN ([22]), an UE 
requested PDN disconnection event is generated by the MME. These elements will be delivered to the DF2 if available: 



Observed MSISDN 



Observed IMSI 



Observed ME 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Location Information 



lAs (if applicable) 



Linked EPS bearer identity 



12.2.3.1 1 UE requested Bearer Resource Modification 

When UE requested Bearer Resource Modification [22] is detected at the S-GW/PDN-GW, an UE requested Bearer 
Resource Modification event is generated. These elements will be delivered to the DF2 if available: 
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Observed MSISDN 



Observed IMSI 



Observed ME 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Location Information 



lAs (if applicable) 



Linked EPS bearer identity 



Procedure Transaction Identifier 



EPS bearer QoS 



Traffic Aggregate Description 



Failed UE requested Bearer Modification reason 
Protocol Configuration Options 



12.2.3.12 Void 

12.3 Functional requirements for LI in case of E-UTRAN access 
and PMIP based S5/S8 interfaces. 

Functional requirements for LI in the MME, S-GW and HSS do not differ from the ones applicable to the case of GTP 
based S5-S8 interfaces, as specified in clause 12.2 and subclauses. 

LI in the PDN-GW is a national option. 

Interception in the PDN-GW shall be based on NAI. 

For the delivery of the CC and IRI, the PDN-GW provides correlation number and target identity to the DF2 and DF3 
which is used there in order to select the different LEAs where the product shall be delivered. 

The correlation number is unique in the whole PLMN and is used to correlate CC with IRI and the different IRI's of one 
IP-CAN session. However, when different protocols (i.e. GTP and PMIP) are used in the network, different values can 
be generated by different nodes. 

The correlation number shall be generated by using existing parameters related to the IP-CAN session. 

NOTE: If interception has been activated for both parties of the Packet Data communication both CC and IRI will 
be delivered for each party as separate intercept activity. 

12.3.1 Provision of Intercept Related Information 

Intercept Related Information (Events) shall be sent at attach/tunnel activation, detach/tunnel deactivation, start of 
interception with active PMIP tunnel, PDN-GW initiated PDN-disconnection, UE requested PDN connectivity. Serving 
Evolved Packet System. 

Serving Evolved Packet System reporting is a national option. Requirements on the HSS specified in section 12.2 and 
subsections apply also to the case in which S5/S8 interfaces are PMIP based. 



12.3.1.1 



X2 interface 



The following information needs to be transferred from the PDN-GW to the DF2 in order to allow a DF2 to perform its 
functionality: 

- target identity; 

- events and associated parameters as defined in clause 12.3.1.2 and 12.3.3 may be provided; 

- the target location (if available) or the I As in case of location dependent interception; (FES) 

- correlation number; 
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- Quality of Service (QoS) information, if available; 

- encryption parameters (keys and associated parameters for decrypting CC), if available and necessary. 
The IRI should be sent to DF2 using a reliable transport mechanism. 



12.3.1 .2 Structure of the events 

There are several different events in which the information is sent to the DF2 if this is required. The events for 
interception are configurable (if they are sent to DF2) in the PDN-GW and can be suppressed in the DF2. The network 
procedures for which the events are generated are defined in [23]. 

The following events are applicable to the PDN-GW: 

- PMIP Attach/tunnel activation; 

- PMIP Detach/tunnel deactivation; 

- Start of interception with active PMIP tunnel; 

- PMIP PDN-GW initiated PDN-disconnection. 

A set of elements as shown below can be associated with the events. The events trigger the transmission of the 
information from the nodes to DF2. Available lEs from this set of elements as shown below can be extended in the 
nodes, if this is necessary as a national option. DF2 can extend available information if this is necessary as a national 
option. 



Observed MN NAI 

The Network Access Identifier of the Mobile Node (target identity). 



Event type 

Indicates which type of event is delivered: PMIP attach/tunnel activation, PMIP detach/tunnel deactivation, Start of 

interception with active PMIP tunnel, PMIP PDN-GW initiated PDN disconnection. 



Event time 

Time of the event generation in the ICE. Time stamp shall be generated relative to ICE internal clock. 



Event date 

Date of the event generation in the ICE. 



Correlation number 

The correlation number is used to correlate CC and IRI. 



Network Element Identifier 

Unique identifier for the ICE reporting the event. 



Lifetime 

Indicates the lifetime of the tunnel; it is set to a nonzero value in the case of registration; is set to zero in case of 

deregistration. 



Failed attach reason 

Reason for the failed attach/tunnel deactivation of the target subscriber. 



Access technology type 
Indicates the Radio Access Type. 



Handover indicator 

Provides information on whether the procedure is triggered as part of a handover. 



APN 

The Access Point Name used for the connection. 



UE address info 

Includes one or more IP addresses allocated to the UE. 



Additional Parameters 

Additional information provided by the UE, such as protocol configuration options. 



PDN address(es) 

The UE IP address(es) for the PDN connection. 



Revocation trigger 

Indicates the reason which triggered the PDN-GW initiated PDN-disconnection procedure 
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12.3.2 X3-interface 

The access method for the deHvering of PDN-GW Intercept Product is based on dupHcation of packets without 
modification at the PDN-GW. The dupHcated packets with additional information in a header are sent to DF3 for further 
deHvery to the LEA. 
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Figure 12.3.2.1 : Configuration for interception of PDN-GW product data 

In addition to the intercepted content of communication, the following information needs to be transferred from the 
PDN-GW to the DF3 to perform its functionality: 

target identity; 

correlation number; 

time stamp (optional); 

direction (indicates whether T-PDU is MO or MT) - optional; 

the target location (if available) or the lAs in case of location dependent interception. 

NOTE: location dependent interception for EPC is FFS. 



12.3.3 LI events for E-UTRAN access with PM IP-based S5 or S8 

12.3.3.1 Initial E-UTRAN Attach and UE PDN requested connectivity with PMIP-based 

S5 or S8 

When the E-UTRAN Attach or UE requested PDN connectivity is detected at the PMIP based PDN-GW, a PMIP 
attach/tunnel activation event shall be generated by the PDN-GW. The following elements will be delivered to the 
DF2 if available: 
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Observed MN NAI 



Event Type 



Event Time 



Event Date 



Correlation number 



Network Element Identifier 



Lifetime 



Failed attach reason 



Access Technology Type 



Handover Indicator 



APN 



UE Address Info 



Additional Parameters 



12.3.3.2 



Detach and PDN disconnection for PMIP-based S5/S8 



When the Detach or PDN disconnection is detected at the PMIP based PDN-GW, a PMIP detach/tunnel deactivation 
event shall be generated by the PDN-GW. The following elements will be delivered to the DF2 if available: 



Observed MN NAI 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Correlation number 



APN 



12.3.3.3 Start of interception with active tunnel for PMIP based S5/S8 

This event shall be generated by the PDN-GW if interception for a target is started and if the target has an active PMIP 
tunnel. If more then one connection is active, for each of them an event record is generated. The parameters which are 
defined for PMIP attach/tunnel activation (see related section) will be sent, if available, by the PDN-GW to the DF2. 



12.3.3.4 



Dedicated Bearer Procedures for E-UTRAN Access with PMIP-based S5/S8 



All the procedures can be intercepted at the S-GW according to the requirements specified for LI in case of GTP based 
S5/S8. 

PDN-GW is not involved in these procedures, except for the case of PDN-GW initiated PDN-disconnection 
Procedure. 



12.3.3.5 



PDN-GW initiated PDN-disconnection Procedure 



When a PDN-GW initiated PDN-disconnection procedure is detected, a PMIP PDN-GW initiated PDN-disconnection 

event shall be generated by the PDN-GW. The following elements will be delivered to the DF2: 



Observed MN NAI 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Correlation number 



PDN Address(es) 



Revocation trigger 
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12.4 Functional requirements for LI in case of trusted non-3GPP IP 
access 

Differently to what happens in E-UTRAN case, in which the user traffic passes through the S-GW and then through the 
PDN-GW, in case of access to the network through S2a (trusted Non-3GPP access), the PDN-GW is, in case of non 
roaming and local breakout, located in the VPLMN and is the only possible ICE in 3 GPP network. 

Interception in the S-GW and PDN-GW shall be based on NAI. 

For the delivery of the CC and IRI, the S-GW and/or PDN-GW provides correlation number and target identity to the 
DF2 and DF3 which is used there in order to select the different LEAs where the product shall be delivered. 

The correlation number is unique in the whole PLMN and is used to correlate CC with IRI and the different IRI's of one 
IP-CAN session. However, when different protocols (i.e. GTP and PMIP) are used in the network, different values can 
be generated by different nodes 

The correlation number shall be generated by using existing parameters related to the IP-CAN session. 

NOTE: If interception has been activated for both parties of the Packet Data communication both CC and IRI will 
be delivered for each party as separate intercept activity. 



12.4.1 Provision of Intercept Related Information 

Intercept Related Information (Events) shall be sent at attach/tunnel activation on interfaces s2a and s2c, detach/tunnel 
deactivation, start of interception with active tunnel, PDN-GW reallocation upon initial attach on s2c, PDN GW 
initiated resource allocation Deactivation on s2a. Serving Evolved Packet System. 

Serving Evolved Packet System reporting is a national option. 

12.4.1.1 X2-interface 

The following information needs to be transferred from the S-GW, PDN-GW or the HSS to the DF2 in order to allow a 
DF2 to perform its functionality: 

- target identity; 

- events and associated parameters as defined in clause 12.4.1.2 and 12.4.3 may be provided; 

- the target location (if available) or the lAs in case of location dependent interception; (FES) 

- correlation number; 

- Quality of Service (QoS) information, if available; 

- encryption parameters (keys and associated parameters for decrypting CC), if available and necessary. 
The IRI should be sent to DE2 using a reliable transport mechanism. 



12.4.1.2 Structure of the events 

There are several different events in which the information is sent to the DE2 if this is required. The events for 
interception are configurable (if they are sent to DE2) in the S-GW, PDN-GW or the HSS and can be suppressed in the 
DF2. 

The following events are applicable to the S-GW: 

PMIP attach/tunnel activation; 
PMIP detach/tunnel deactivation; 
- Start of interception with active PMIP tunnel; 
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The following events are applicable to the PDN-GW: 

- PMIP Attach/tunnel activation; 

- PMIP Detach/tunnel deactivation; 

Start of interception with active PMIP tunnel; 

- MIP registration/tunnel activation; 

- DSMIP registration/tunnel activation; 

- MIP deregistration/tunnel deactivation; 

- DSMIP deregistration/tunnel deactivation; 

- Start of interception with active MIP tunnel; 

- Start of interception with active DSMIP tunnel; 

- DSMIP HA Switch; 

PMIP Resource Allocation Deactivation; 

- MIP Resource Allocation Deactivation. 
The following event is applicable to the HSS: 

- Serving Evolved Packet System. 

A set of elements as shown below can be associated with the events. The events trigger the transmission of the 
information from the nodes to DF2. Available lEs from this set of elements as shown below can be extended in the 
nodes, if this is necessary as a national option. DF2 can extend available information if this is necessary as a national 
option. 
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Observed MN NAI 

The Network Access Identifier of the Mobile Node (target identity). 



Event type 

Indicates which type of event is delivered: PMIP attach/tunnel activation, PMIP detach/tunnel deactivation, Start of 
interception with active PMIP tunnel, MIP registration/tunnel activation, DSMIP registration/tunnel activation, MIP 
deregistration/tunnel deactivation, DSMIP deregistration/tunnel deactivation. Start of interception with active MIP 
tunnel. Start of interception with active DSMIP tunnel, DSMIP HA Switch, PMIP resource Allocation Deactivation, MIP 
Resource Allocation Deactivation, Serving Evolved Packet System. 



Event time 

Time of the event generation in the ICE. Time stamp shall be generated relative to ICE internal clock. 



Event date 

Date of the event generation in the ICE. 



Correlation number 

The correlation number is used to correlate CC and IRI. 



Network Element Identifier 

Unique identifier for the ICE reporting the event. 



Lifetime 

Indicates the lifetime of the tunnel; must be set to a nonzero value in the case of registration; is set to zero in case of 

deregistration. 



Failed attach reason 

Reason for the failed attach/tunnel deactivation of the target subscriber. 



Access technology type 
Indicates the Radio Access Type. 



Handover indicator 

Provides information on whether the triggered as part of a handover. 



APN 

The Access Point Name used for the connection. 



UE address info 

Includes one or more IP addresses allocated to the UE. 



Additional Parameters 

Additional information provided by the UE, such as protocol configuration options. 



PDN address(es) 

The UE IP address(es) for the PDN connection. 



Home address 

Contains the UE Home IP address. 



Home Agent address 

Contains the IP address of the Home Agent. 



Requested IPv6 Home Prefix 

The IPv6 Home Prefix requested by the UE. 



IPv6 home prefix 

The IPv6 home prefix assigned by the PDN GW to the UE. 



Care of Address 

The Local IP address assigned to the UE by the Access Network, used as Care of Address for DSMIPv6 over S2c 

reference point. 



HSS/AAA address 

The address of the HSS/AAA triggering the PDN-GW reallocation. 



Target PDN-GW address 

The address of the PDN-GW which the UE will be reallocated to. 



Revocation trigger 

Contains the cause for the revocation procedure. 



Foreign domain address 

The relevant IP address in the foreign domain. 



Serving node IP address 

The IP address of the node serving the target UE. 
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12.4.2 X3-interface 

The access method for the deHvering of S-GW and/or PDN-GW Intercept Product is based on dupHcation of packets 
without modification at the S-GW and/or PDN-GW. The dupHcated packets with additional information in a header are 
sent to DF3 for further deHvery to the LEA. 
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Figure 12.4.2.1: Configuration for interception of S-GW/PDN-GW product data 

n addition to the intercepted content of communication, the following information needs to be transferred from the S- 
GW and/or the PDN-GW to the DF3 to perform its functionality: 

target identity; 

correlation number; 

time stamp (optional); 

direction (indicates whether T-PDU is MO or MT) - optional; 

the target location (if available) or the lAs in case of location dependent interception. 

NOTE: location dependent interception for EPC is FES. 

1 2.4.3 LI events for trusted Non-3GPP IP access 



12.4.3.1 



Initial Attach and PDN connection activation with PMIPv6 on S2a 



When the Attach or PDN connectivity activation is detected over PMIP at the S-GW, PDN-GW, a PMIP attach/tunnel 
activation event shall be generated. The following elements will be delivered to the DF2 if available: 
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Observed MN NAI 



Event Type 



Event Time 



Event Date 



Correlation number 



Network Element Identifier 



Lifetime 



Failed attach reason 



Access Technology Type 



Handover Indicator 



APN 



UE Address Info 



Additional Parameters 



12.4.3.2 Initial Attach and PDN connection activation procedures with MIPv4 FACoA 
on S2a 

When the Attach or PDN connectivity activation is detected over MIP at the PDN-GW, a MIP registration/tunnel 
activation event shall be generated. The following elements will be delivered to the DF2 if available: 



Observed MN NAI 



Correlation number 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Lifetime 



Failed attach reason 



Home Address 



Care of Address 



Home Agent Address 



APN 



NOTE: As the S-GW has no Home Agent function, the event is not applicable to the S-GW. The use of MIPv4 in 
roaming case requires Local Breakout (PDN-GW in VPLMN), so LI in the PDN-GW is mandatory in 
order to intercept in this scenario. 

12.4.3.3 Initial Attach and PDN connection activation procedures with DSMIPv6 over 
S2c 

When the Attach or PDN connectivity activation is detected over DSMIP at the PDN-GW, a DSMIP 
registration/tunnel activation event shall be generated. The following elements will be delivered to the DF2 if 
available: 



Observed MN NAI 



Correlation number 



Event Type 



Event Date 



Event Time 



Network Element Identifier 



Lifetime 



Requested IPv6 home prefix 



IHome address 



APN 



Care of Address 



Failed attach reason 



12.4.3.4 



Detach and PDN disconnection with PMIPv6 on S2a 



When a Detach or PDN disconnection is detected over PMIP at the S-GW, PDN-GW, a PMIP detach/tunnel 
deactivation event shall be generated. The following elements will be delivered to the DF2 if available: 
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Observed MN NAI 



Event Type 



Event Date 



Event Time 



Correlation number 



Network Element Identifier 



APN 



Initiator 



12.4.3.5 



Detach and PDN disconnection with MIPv4 FACoA 



When a Detach or PDN disconnection is detected over MIP at the PDN-GW, a MIP deregistration/tunnel 
deactivation event shall be generated. The following elements will be delivered to the DF2 if available: 



Observed MN NAI 



Correlation number 



Event Type 



Event Date 



Event Time 



Network Element Identifier 



Home Address 



Home Agent Address 



Care of address 



Initiator 



12.4.3.6 



Detach and PDN disconnection with DSMIPv6 on S2c 



When a Detach or PDN disconnection is detected over DSMIP at the PDN-GW, a DSMIP deregistration/tunnel 

deactivation event shall be generated. The following elements will be delivered to the DF2 if available: 



Observed MN NAI 



Event Type 



Event Date 



Event Time 



Correlation number 



Network Element Identifier 



Home Address 



Initiator 



12.4.3.7 PDN-GW reallocation upon initial attach on s2c 

When a PDN GW reallocation procedure is detected by the PDN-GW, a DSMIP HA Switch event shall be generated. 
The following elements will be delivered to the DF2 if available: 



Observed MN NAI 



Event Type 



Event Date 



Event Time 



Network Element Identifier 



HSS/AAA address 



Target PDN-GW address 



12.4.3.8 



PDN GW initiated Resource Allocation Deactivation with S2a PMIP 



When a PDN GW initiated resource allocation deactivation is detected by the S-GW/PDN-GW, a PMIP Resource 
Allocation Deactivation event shall be sent. The following elements will be delivered to DF2 if available 
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Observed MN NAI 



Event Type 



Event Date 



Event Time 



Network Element Identifier 



Revocation trigger 



Home Address 



Care of address 



Correlation number 



12.4.3.9 



PDN GW initiated Resource Allocation Deactivation with S2a MIP v4 



When a PDN GW initiated resource allocation deactivation is detected, a MIP Resource Allocation Deactivation event 
shall be sent. The following elements will be delivered to DF2 if available 



Observed MN NAI 



Event Type 



Event Date 



Event Time 



Network Element Identifier 



Revocation trigger 



Home Address 



Foreign domain address 



Correlation number 



12.4.3.10 Serving Evolved Packet System 

The Serving Evolved Packet System report event is generated at the HSS, when the HSS has detected that the intercept 
subject has roamed. The elements will be delivered to the DF2 if available: 



Observed MSISDN 



Observed IMSI 



Observed ME Identity 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Serving node IP address 



1 2.4.3.1 1 Start of interception with active tunnel 

When interception is started at the S-GW, PDN-GW and the target has an already active tunnel, a start of interception 
with active tunnel shall be generated. Separate events are defined for the different protocols. The event shall be detected 
by the same node for which tunnel activation reporting is applicable and reported with the same parameters required for 
the specific protocol (PMIP, MIP, DSMIP) tunnel activation event, as defined in the related sections. One event shall be 
sent for each active tunnel. 

12.5 Functional requirements for LI in case of untrusted non-3GPP 
IP access 

The e-PDG and the AAA server are subjected to all the requirements specified in this document for PDG and AAA 
server for the case of I-WLAN interworking. 

Interception in the PDN-GW is a national option. 

Interception in the PDN-GW shall be based on NAI. 

For the delivery of the CC and IRI, the PDN-GW provides correlation number and target identity to the DF2 and DF3 
which is used there in order to select the different LEAs where the product shall be delivered. 



ETSI 



3GPP TS 33.107 version 8.7.0 Release 8 90 ETSI TS 133 107 V8.7.1 (2009-04) 

12.5.1 Provision of Intercept Related Information 

Intercept Related Information (Events) shall be sent at attach/tunnel activation on interfaces s2b and s2c, detach/tunnel 
deactivation, start of interception with active tunnel, Serving Evolved Packet System. 

Serving Evolved Packet System reporting is a national option. 

12.5.1.1 X2-interface 

The following information needs to be transferred from the PDN-GW or the HSS to the DF2 in order to allow a DF2 to 
perform its functionality: 

- target identity; 

- events and associated parameters as defined in clause 12.5.1.2 and 12.5.3 may be provided; 

- the target location (if available) or the I As in case of location dependent interception; (FES) 

- correlation number; 

- Quality of Service (QoS) information, if available; 

- encryption parameters (keys and associated parameters for decrypting CC), if available and necessary. 
The IRI should be sent to DE2 using a reliable transport mechanism. 

12.5.1 .2 Structure of the events 

There are several different events in which the information is sent to the DE2 if this is required. The events for 
interception are configurable (if they are sent to DE2) in the PDN-GW or the HSS and can be suppressed in the DE2. 

The following events are applicable to the PDN-GW: 

- PMIP Attach/tunnel activation; 

- PMIP Detach/tunnel deactivation; 

- Start of interception with active PMIP tunnel; 

- DSMIP registration/tunnel activation; 

- DSMIP deregistration/tunnel deactivation; 

- Start of interception with active DSMIP tunnel; 

- DSMIP HA Switch; 

- PMIP Resource Allocation Deactivation. 
The following events is applicable to the HSS: 

- Serving Evolved Packet System 

A set of elements as shown below can be associated with the events. The events trigger the transmission of the 
information from the nodes to DE2. Available lEs from this set of elements as shown below can be extended in the 
nodes, if this is necessary as a national option. DE2 can extend available information if this is necessary as a national 
option. 
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Observed MN NAI 

The Network Access Identifier of the Mobile Node (target identity). 



Event type 

Indicates which type of event is delivered: PMIP attach/tunnel activation, PMIP detach/tunnel deactivation, Start of 
interception with active PMIP tunnel, DSMIP registration/tunnel activation, DSMIP deregistration/tunnel deactivation. 
Start of interception with active DSMIP tunnel, DSMIP HA Switch, PMIP resource Allocation Deactivation, Serving 
Evolved Packet System. 



Event time 

Time of the event generation in the ICE. Time stamp shall be generated relative to ICE internal clock. 



Event date 

Date of the event generation in the ICE. 



Correlation number 

The correlation number is used to correlate CC and IRI. 



Network Element Identifier 

Unique identifier for the ICE reporting the event. 



Lifetime 

Indicates the lifetime of the tunnel; must be set to a nonzero value in the case of registration; is set to zero in case of 

deregistration. 



Failed attach reason 

Reason for the failed attach/tunnel deactivation of the target subscriber. 



Access technology type 
Indicates the Radio Access Type. 



Handover indicator 

Provides information on whether the triggered as part of a handover. 



APN 

The Access Point Name used for the connection. 



UE address info 

Includes one or more IP addresses allocated to the UE. 



Additional Parameters 

Additional information provided by the UE, such as protocol configuration options. 



Home Agent address 

Contains the IP address of the Home Agent. 



Care of Address 

The Local IP address assigned to the UE by the Access Network, used as Care of Address for DSMIPv6 over S2c 

reference point. 



HSS/AAA address 

The address of the HSS/AAA triggering the PDN-GW reallocation. 



Target PDN-GW address 

The address of the PDN-GW which the UE will be reallocated to. 



Revocation trigger 

Contains the cause for the revocation procedure. 



Foreign domain address 

The relevant IP address in the foreign domain. 



Serving node IP address 

The IP address of the node serving the target UE. 



Requested IPv6 Home Prefix 

The IPv6 Home Prefix requested by the UE. 



IPv6 home prefix 

The IPv6 home prefix assigned by the PDN GW to the UE. 



Home address 

Contains the UE Home IP address. 
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12.5.2 X3-interface 

The access method for the deHvering of PDN-GW Intercept Product is based on dupHcation of packets without 
modification at the PDN-GW. The dupHcated packets with additional information in a header are sent to DF3 for further 
deHvery to the LEA. 



intercepted 
subscriber 




Delivery 
Function 3 



LEA 



DupHcator of 
packets 



Figure 12.5.2.1 : Configuration for interception of PDN-GW product data 

In addition to the intercepted content of communication, the following information needs to be transferred from the 
PDN-GW to the DF3 to perform its functionality: 

target identity; 

correlation number; 

time stamp (optional); 

direction (indicates whether T-PDU is MO or MT) - optional; 

the target location (if available) or the lAs in case of location dependent interception. 

NOTE: location dependent interception for EPC is FFS. 



12.5.3 LI events for untrusted Non-3GPP IP access 



12.5.3.1 



Initial Attach and PDN connection activation with PMIPv6 on S2b 



In the VPLMN, LI shall be done at the ePDG according to LI requirements for I-WLAN; no additional requirement 
applies to the S-GW for this case. 

When the attach or PDN connectivity activation is detected over PMIP at the PDN-GW, a PMIP attach/tunnel 
activation event shall be generated. The following elements will be delivered to the DF2 if available: 
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Observed MN NAI 



Event Type 



Event Time 



Event Date 



Correlation number 



Network Element Identifier 



Lifetime 



Failed attach reason 



Access Technology Type 



Handoff Indicator 



APN 



UE Address Info 



Additional Parameters 



12.5.3.2 Initial attach and PDN connection activation for S2c in untrusted non-3GPP 
IP access 

In the VPLMN, LI shall be done at the ePDG according to LI requirements for PDG for I-WLAN. 

When the attach or PDN connectivity activation is detected over DS-MIPv6 at the PDN-GW, a DSMIP 
registration/tunnel activation event shall be generated. The following elements will be delivered to the DF2 if 
available: 



Observed MN NAI 



Correlation number 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Lifetime 



Failed attach reason 



Home address 



Care of Address 



APN 



Requested IPv6 Home Prefix 



12.5.3.3 UE/ePDG-initiated Detach Procedure and UE Requested PDN disconnection 
with PMIP 

In the VPLMN, LI shall be done at the ePDG according to LI requirements for PDG for I-WLAN; no additional 
requirement applies to the S-GW for this case. 

When the detach or UE requested PDN disconnection is detected over PMIP at the PDN-GW, a PMIP detach/tunnel 
deactivation event shall be generated. The following elements will be delivered to the DF2 if available: 



Observed MN NAI 



Event Type 



Event Time 



Event Date 



Correlation number 



Network Element Identifier 



APN 



12.5.3.4 Detach and PDN Disconnection for S2c in Un-trusted Non-3GPP IP access 

In the VPLMN, LI shall be done at the ePDG according to LI requirements for PDG for I-WLAN. 

When the detach or PDN disconnection is detected over DS-MIPv6 at the PDN-GW, a DSMIP deregistration/tunnel 
deactivation event shall be generated. The following elements will be delivered to the DF2 if available: 
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Observed MN NAI 



Event Type 



Event Time 



Event Date 



Correlation number 



Network Element Identifier 



Home address 



Initiator 



Care of Address 



12.5.3.5 Serving Evolved Packet System 

The Serving Evolved Packet System report event is generated at the HSS, when the HSS has detected that the intercept 
subject has roamed. The elements will be delivered to the DF2 if available: 



Observed MSISDN 



Observed IMSI 



Observed ME Identity 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Serving node IP address 



1 2.5.3.6 Start of interception with active tunnel 

When interception is started at the PDN-GW and the target has an already active tunnel, a start of interception with 
active tunnel shall be generated. Separate events are defined for the specific protocol (PMIP, DSMIP). The parameter 
applicable to the tunnel activation event, as defined in the related sections, will be delivered to the DF2 if available. 
One event shall be sent for each active tunnel. 

12.5.3.7 PDN-GW reallocation upon initial attach on s2c 

When a PDN GW reallocation procedure is detected by the PDN-GW, a DSMIP HA Switch event shall be generated. 
The following elements will be delivered to the DF2 if available: 



Observed MN NAI 



Event Type 



Event Date 



Event Time 



Network Element Identifier 



HSS/AAA address 



Target PDN-GW address 



12.5.3.8 



PDN GW initiated Resource Allocation Deactivation with S2b PMIP 



When a PDN GW initiated resource allocation deactivation is detected, a PMIP Resource Allocation Deactivation 

event shall be sent. The following elements will be delivered to DF2 if available: 
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Observed MN NAI 



Event Type 



Event Date 



Event Time 



Network Element Identifier 



Revocation trigger 



Home Network Prefix 



Care of address 



Correlation number 



12.6 Functional requirements for LI in case of Handovers 
between E-UTRAN and CDMA2000 Accesses. 

When an handover is performed from CDMA2000 Access to E-UTRAN, the MME shall intercept the attach event 
received from the HRPD AN based on IMSI. 

Interception at S-GW and PDN-GW shall be done according to the requirements given in section 12.2 or 12.3 and 
related subsections, depending on the protocol used over the S5/S8 interface. 

12.7 Functional requirements for LI in case of interworking 
between SGSN and EPS nodes over S4/S12 interfaces 

The SGSN and the HSS are subjected to the requirements applicable to these nodes for PS interception, as specified 
throughout this document. 

The S-GW is subjected to the requirements specified in section 12.2 and subsections. The applicable events shall be 
reported also when received from the SGSN over S4 interface. CC shall be also reported when received over S4/S12 
interfaces. The network procedures for which the events applicable to the S-GW, defined in section 12.2 and 
subsections, are generated when the S-GW is connected over S4/S12 interfaces to a SGSN are defined in [10]. 

The PDN-GW is subjected to the requirements specified in section 12.2 or 12.3 and related subsections, depending on 
the protocol used on S5/S8 interfaces, which are applicable also to the case in which the PDN-GW is involved for a 
target subscriber for which a S4 based SGSN is used. 

12.8 Functional requirements for LI in case of interworking 
between SGSN and PDN-GW over Gn/Gp interfaces 

According to [10] and [22] a PDN-GW may provide a Gn/Gp interface for interworking with the SGSN. When this 
interface is provided, from LI perspective the PDN-GW acts as a GGSN towards the involved SGSN. In this case, in 
addition to the requirements specified in this clause, all the requirements specified by this document for the GGSN are 
applicable to the PDN-GW. The SGSN is subjected to the requirements applicable to this node for PS interception, as 
specified throughout this document. 
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Annex A (informative): 

Information flows for Lawful Interception invocation of circuit 

switched services 

The following figures show the information flows for the invocation of Lawful Interception for various types of calls. 
The figures show some of the basic signalling messages of the target calls and the events on the X2 and X3 -interfaces. 
The call control messages to and from the network are shown for informational purposes only; some of them may not 
be sent or may be combined in certain networks. The handling of the bearers for the basic calls is not shown. The bearer 
points are established in a manner to minimise content loss without delaying the call to the target subscriber. The bearer 
establishment to agency will be in parallel or immediately following the bearer establishment to the target subscriber. 
The flows portray both forward and backward bearer establishment and release to the agency. 



A.1 Mobile originated circuit switched calls 

Figure A. 1 shows the interception of a basic mobile originated circuit switched speech or data call where the originating 
mobile (A) is the target for interception. B is not necessarily also a mobile subscriber and resides on a different 
exchange. 



DF2 



DF3 DF3 

Bearer Signalling 



Prepare Bearer Establishment/ 
Establish Bearer 



Call 



Stut lines contain CC 



Release Bearer/Release Resource i 



MS A MSC Server MGW 

SETUP 



setup of stublines 
Bearer Esitablishment 



istablishment Attemp: 



Answer 



DfAB 



release 
Bearer 



Release 



ALERTING 



CONNECT 



DISCONNECT 

4 ► 



of Stublines 
Release 



Establish Bearer/ 
Prepare Bearer Establishment 



lAM 



ACM 



CPG(alert) 



ANM 



REL 



Release Resource/Release Bearer 



Figure A.1 : Interception of mobile originated circuit switched calls 

In figure A.1 the result (answer) of the set-up of the stublines is not shown. This assumes no special action is taken in 
case of failure. 
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A.2 Mobile terminated circuit switched calls 

Figure A. 2 shows the interception of a basic mobile terminated circuit switched speech or data call where the 
terminating mobile (B) is the target for interception. A is not necessarily also a mobile subscriber and resides on a 
different exchange. 
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Figure A.2: Interception of mobile terminated circuit switched calls 
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A.3 Call hold / call waiting 



Figures A. 3 and A.4 show the interception of calls involving call hold / call waiting. Figure A. 3 covers the case where 
one pair of stublines is used per target, figure A.4 covers the case where a separate pair of stublines is used for each 
target call. The mobile that receives the waiting call (A) is the target for interception. 
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Figure A.3: Interception of call hold / call waiting - stublines per target 
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Figure A.4: Interception of call hold / call waiting - stublines per target call 
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A.4 Multiparty calls 



Figures A. 5 and A. 6 show the interception of multiparty calls. Figure A. 5 covers the case where one pair of stublines is 
used per target, figure A. 6 covers the case where a separate pair of stublines is used for each target call. The mobile 
setting up the multiparty call (A) is the target for interception. 
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Figure A.5: Interception of multiparty calls - stublines per target 
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Figure A.6: Interception of multiparty calls - stublines per target call 
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A.5 Call forwarding / call deflection 

The following pictures show the information flows for the interception of forwarded calls. Information flows will be 
given for three typical cases of call forwarding. All other types of call forwarding / call deflection are intercepted 
similar to one of these. 



A.5.1 Unconditional call forwarding 



Figure A.7 shows the interception of unconditionally forwarded calls. The mobile that activated unconditional call 
forwarding (B) is the target for interception. In this case interception will be performed at the 3G GMSC, where the 
Service Request Indicator (SRI) request for B is issued and subsequently the SRI response indicating that the call shall 
be forwarded is received. 
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Figure A.7: Interception of unconditional call forwarding 



A.5.2 Call forwarding on not reachable (IMSI detached) 

Call forwarding on not reachable because the IMSI is detached is also handled on the 3G GMSC. Interception of this 
type of call forwarding is similar to interception of unconditional call forwarding. 
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A.5.3 Call forwarding on busy (network determined) 

Figure A. 8 shows the interception of call forwarding on busy (network determined). The mobile that activated call 
forwarding on busy (B) is the target for interception. In this case interception will be performed at the 3G MSC where B 
resides, where the busy condition is detected and the call is forwarded. 
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Figure A.8: Interception of call forwarding on busy (network determined) 
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A.5.4 Call forwarding on not reachable (no response to 
paging/radio channel failure) 

Call forwarding on not reachable because of no response to paging or radio channel failure is also handled on the 
3G MSC similar to call forwarding on busy (network determined). Interception of this type of call forwarding is 
therefore done in the same way (see clause A.5.3). 

A.5.5 Call forwarding on no reply 

Figure A. 9 shows the interception of call forwarding on no reply. The mobile that activated call forwarding on no reply 
(B) is the target for interception. In this case interception will be performed at the 3G MSC where B resides, where the 
no reply condition is detected and the call is forwarded. Initially, the interception is similar to the interception of a basic 
mobile terminated circuit switched speech of data call. On no reply time-out, the interception will continue on the 
forwarded call to C. 
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Figure A.9: Interception of call forwarding on no reply 

In figure A.9 the release of the stubHnes is done after the forwarded call is released by A or C. It is a national option not 
to support interception of forwarded calls. In that case, the release of the stublines is done after the call is forwarded and 
B is no longer involved. 

A.5.6 Call forwarding on busy (user determined)/call deflection 

Call forwarding on busy (user determined) and call deflection are also handled on the 3G MSC similar to call 
forwarding on no reply. Interception of this type of call forwarding is therefore done in the same way (see A5.5). 
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A.5.7 Call waiting / call forwarding on no reply 

Figures A. 10 and A.l 1 show the interception of a call involving both call waiting and call forwarding on no reply. 
Figure A. 10 covers the case where one pair of stublines is used per target, figure A.l 1 covers the case where a separate 
pair of stublines is used for each target call. The mobile that activated call forwarding on no reply and receives the 
waiting call (B) is the target for interception. In figure A. 10 a new pair of stublines needs to be set up when the call is 
forwarded since the first pair of stublines is still used for the initial call. 
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Figure A.10: Interception of call waiting / call forwarding on no reply - stublines per target 
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Figure A.11 : Interception of call waiting / call forwarding on no reply - stublines per target call 
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A.6 Explicit call transfer 



Figures A. 12 and A. 13 show the interception of expHcit call transfer. Figure A. 12 covers the case where one pair of 
stublines is used per target, figure A. 13 covers the case where a separate pair of stublines is used for each target call. 
The mobile transferring the call (B) is the target for interception. 
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Figure A.12: Interception of explicit call transfer - stublines per target 
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Figure A.13: Interception of explicit call transfer - stublines per target call 

In figures A. 12 and A.13 the release of the stubHnes is done after the transferred call is released by A or C. It is a 
national option not to support interception of transferred calls. In that case, the release of the stublines is done after the 
call is transferred and B is no longer involved. 
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Annex B (informative): 

Information flows for Lawful Interception invocation of GSN 

Packet Data services 

The following figures show the information flows for the invocation of Lawful Interception for Packet Data and typical 
scenarios. The figures show some of the basic signalling messages of the target Packet Data communication and the 
events on the X2 and X3 interfaces. The dotted lines indicate signalling depending on whether CC and/or IRI 
information has been requested. The Gateway 3G GGSN may setup/release packet tunnels and send IRI information 
depending on national requirements. 

The use of the Gateway 3G GGSN for interception is a national option. 



B.1 Mobile Station Attach 



Figure B.l shows the interception of a basic Mobile Station Attach where the mobile (A) is the target for interception. 
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Figure B.1 : Interception of mobile originated Mobile Station Attachment 
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B.2 Mobile Initiated Mobile Station Detach 

Figure B.2 shows the interception of a Mobile Initiated Mobile Station Detach where the originating mobile (A) is the 
target for interception. 
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Figure B.2: Interception of mobile originated Mobile Station Detachment 



B.3 Network initiated Mobile Station Detach 

Figure B.3 shows the interception of a network initiated (by 3G SGSN or HLR) Mobile Station Detach where the 
mobile (A) is the target for interception. 
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Figure B.3: Interception of network initiated Mobile Station Detach 
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B.4 Intra 3G GSN Routing Area Update 

Figure B.4 shows the interception of an Intra Routing Area Update where the mobile (A) is the target for interception. 
The sequence is the same for the combined RA / LA Update procedure but additional signalling is performed between 
the current 3G SGSN and the prior 3G SGSN before the Routing Area Update Accept message is sent to the MS. 
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Figure B.4: Interception of an Intra Routing Area Update 



B.5 Inter 3G GSN Routing Area Update 

Figure B.5 shows the interception of an Inter Routing Area Update where the mobile (A) is the target for interception. 
The sequence is the same for the combined RA / LA Update procedure but additional signalling is performed between 
the 3G GSN, HLR and the old 3G GSN before the Routing Area Update Accept message is sent to the MS. In case of 
PDP context not being active less signalling is required. 
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Figure B.5: Interception of an Inter Routing Area Update 
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B.6 PDP Context Activation 



Figure B.6 shows the interception of a PDP Context activation where the mobile (A) is the target for interception. The 
sequence for a network initiated PDP Context activation is analogous but is preceded by the 3G GSN sending a Request 
PDP Context Activation to the MS. 
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Figure B.6: Interception of a PDP Context Activation 



B.7 Start of interception with PDP context active 

A tunnel is estabhshed to DF3 and an event is sent to DF2. 
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B.8 MS initiated PDP Context Deactivation 

Figure B.7 shows the interception of a MS initiated PDP Context deactivation where the mobile (A) is the target for 
interception. 
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Figure B.7: Interception of a PDP Context Deactivation 



B,9 Network initiated PDP Context Deactivation 

Figure B.8 shows the interception of a Network initiated PDP Context deactivation where the mobile (A) is the target 
for interception. The 3G GGSN may send, (depending on national requirements) the PDP Context deactivation and 
release the Packet Data tunnel after the Delete PDP Context Response has been sent or received, (signalling between the 
3G SGSN and the 3G GGSN is not shown here). 



DF2 



DF3 



MSA 



3G SGSN 



Deactivate PDF> context Request 



Deactivate PDP Context Accept 



Release of Packet Data tunnel 
PDP Context Deactivation 



Figure B.8: Interception of a Network initiated PDP Context Deactivation 
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B.10 SMS 



Figures B.9a and B.9b show the interception of a Mobile-terminated SMS. Figures B.lOa and B.lOb show the 
interception of a Mobile-originated SMS. In all the scenarios, the mobile subscriber (A) is the target for interception. 
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Figure B.9a: MT-SMS interception after 3G SGSN receives notification of SMS delivery to MS(A) 
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Figure B.9b: MT-SMS interception after 3G SGSN receives SMS from SMSC 
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Figure B.10a: MO-SMS interception after 3G SGSN receives notification of SMS delivery from SMSC 
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Figure B.10b: MO-SMS interception after 3G SGSN receives SMS from MS(A) 
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Annex C (informative): 

Information flows for the invocation of Lawful Interception for 

Packet Data with multimedia 

The following figures show the information flows for the invocation of Lawful Interception for Packet Data with 
multimedia. The figures show some of the basic signalling messages of the target Packet Data communication and the 
events on the X2 interfaces. The dotted lines indicate signalling depending on whether IRI information has been 
requested. The figures illustrate interception in the visited network. 

The figures in this annex only apply to scenarios where the P-CSCF is located in the visited network. In some operator 
deployment scenarios, the P-CSCF will be in the Home Network. Where the P-CSCF is located in the Home Network 
and UE to P-CSCF signalling encryption is applied, all SIP messages between the P-CSCF and the UE will be 
encrypted within the visited network and therefore plain text interception in the visited network may not be possible. 



C.1 Multimedia registration 



Figures C.1.1 and C.1.2 show the intercept of the Multimedia registration for the case of visited network interception 
(refer to TS 23.228 clauses 5.3.2.4 and 5.3.2.5). 



Visited Network 



Home 



DF2 



UE 



P-CSCF 



l-GSGF 



Register 



Register 



Register 



HSS 



Cx-Query 



Serving 
Network 



Cx -QueryResp 



Cx-Select-pull 



Cx-Select-pull Resp 



Continuation of registration 



Figures C.1 .1 and C.1 .2 show the intercept of the Multimedia registration for the case of visited network 
interception, where the P-CSCF is located in the Visited Network (refer to TS 23.228 clauses 5.3.2.4 and 
5.3.2.5). 

Figure C.1.1 : Intercept of Start of Multimedia Registration 
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Figure C.I. 2: Intercept of Continuation of Multimedia Registration 

NOTE: The same SIP Registration command is used for the initial registration and any registration updates. 

Registration deletion request is accomplished with a Registration command that indicates a '*' contact or 
zero expiration time. 
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C.2 Multimedia Session Establishment and Answer 

Figure C2 shows the intercept of the MuUimedia EstabHshment and Answer in the visited network, where the P-CSCF 
is located in the Visited Network (refer to 3G TS 23.228, clause 5.7.1). 
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Figure C.2 Intercept of Multimedia Establishment and Answer at Visiting Network 
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C.3 Multimedia Release 



Figure C.3 shows the intercept of the Multimedia Release in the visited network, where the P-CSCF is located in the 
Visited Network (3G TS 23.228, clause C.2.1 reference available). 
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Figure C.3 Intercept of Multimedia Release at Visiting Network 



C.4 Multimedia with Supplementary Service - Call 
Forwarding 

Not defined in this release. 

C.5 Multimedia with Supplementary Service - Explicit 
Call Transfer 

Not defined in this release. 

C.6 Multimedia with Supplementary Service - Subscriber 
Controlled input 

Not defined in this release. 
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Annex D (informative): 

Information flows for Lawful Interception invocation at the 

MGW using H.248 

The following figures show the use of H.248 in setting up a bearer intercept point at the MGW. 

D.1 Mobile to Mobile call, originating side is target 

Figure D.l shows the network model for interception of a mobile-to-mobile call, where the originating mobile 
subscriber is the target for interception. 

Figure D.2 message sequence only shows the H.248 elements related to the necessary topology, which could be used in 
this example. 

Normal call establishment using other H.248 elements shall be in accordance with TS 23.205. 
It should be noted that other means exist with H.248 to achieve similar interception. 
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Figure D.1 : Mobile to Mobile call originating side is target (network model) 
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